Improper Interaction Between Multiple Correctly-Behaving Entities in xmldom - CVE-2021-21366
Published: June 2, 2023
Vulnerability identifier: #VU76822
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-21366
CWE-ID: CWE-435
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
xmldom
xmldom
Software vendor:
xmldom
xmldom
Description
The vulnerability allows a remote attacker to gain access to the system.
The vulnerability exists due to xmldom do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. A remote attacker can send a specially crafted file and make syntactic changes during XML processing in some downstream applications.
Remediation
Install updates from vendor's website.
External links
- https://github.com/xmldom/xmldom/releases/tag/0.5.0
- https://www.npmjs.com/package/xmldom
- https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135
- https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv
- https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html