CVE-2021-32696 Vulnerability Details

  /     /     /  

CVE-2021-32696 Metadata Quick Info

CVE Published: 18/06/2021 | CVE Updated: 03/08/2024 | CVE Year: 2021
Source: GitHub_M | Vendor: ericnorris | Product: striptags
Status : PUBLISHED

---

CVE-2021-32696 Description

The npm package "striptags" is an implementation of PHP\'s strip_tags in Typescript. In striptags before version 3.2.0, a type-confusion vulnerability can cause `striptags` to concatenate unsanitized strings when an array-like object is passed in as the `html` parameter. This can be abused by an attacker who can control the shape of their input, e.g. if query parameters are passed directly into the function. This can lead to a XSS.

Metrics

CVSS Version: 3.1 | Base Score: 3.7 LOW
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* HIGH
    Privileges Required (PR)* NONE
    User Interaction (UI)* NONE
    Scope (S)* UNCHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* LOW
    Integrity Impact (I)* NONE
    Availability Impact (A)* NONE

Weakness Enumeration (CWE)

CWE-ID: CWE-241
CWE Name: CWE-241: Improper Handling of Unexpected Data Type
Source: ericnorris

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).