Vulnerability CVE-2021-23342
Published: 2021-02-19

Description:
This affects the package docsify before 4.12.0. It is possible to bypass the remediation done by CVE-2020-7680 and execute malicious JavaScript through the following methods 1) When parsing HTML from remote URLs, the HTML code on the main page is sanitized, but this sanitization is not taking place in the sidebar. 2) The isURL external check can be bypassed by inserting more ??////? characters

Type:

CWE-79

 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None
Affected software
Docsifyjs -> Docsify 

 References:
http://packetstormsecurity.com/files/161495/docsify-4.11.6-Cross-Site-Scripting.html
http://seclists.org/fulldisclosure/2021/Feb/71
https://github.com/docsifyjs/docsify/commit/ff2a66f12752471277fe81a64ad6c4b2c08111fe
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1076593
https://snyk.io/vuln/SNYK-JS-DOCSIFY-1066017
Copyright 2024, cxsecurity.com

 

Back to Top