Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2021-21366

Good to know:

icon
icon

Date: March 11, 2021

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.

Language: JS

Severity Score

Related Resources (8)

https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135
https://www.npmjs.com/package/xmldom
https://github.com/xmldom/xmldom/releases/tag/0.5.0
https://github.com/xmldom/xmldom
https://nvd.nist.gov/vuln/detail/CVE-2021-21366
https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv
https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html
https://www.mend.io/vulnerability-database/CVE-2021-21366

Severity Score

Weakness Type (CWE)

Interpretation Conflict

CWE-436

Misinterpretation of Input

CWE-115

Top Fix

icon

Upgrade Version

Upgrade to version 0.5.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): LOW
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): NONE
Integrity (I): PARTIAL
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us