Description

OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and CDATA section delimiters for crafted input. This allows an attacker to inject arbitrary HTML or XML into embedding documents.

Remediation

References

https://groups.google.com/g/json-sanitizer-support/c/dAW1AeNMoA0

https://github.com/OWASP/json-sanitizer/compare/v1.2.1...v1.2.2

https://github.com/OWASP/json-sanitizer/commit/a37f594f7378a1c76b3283e0dab9e1ab1dc0247e

Related Vulnerabilities

CVE-2022-23812 Vulnerability in npm package node-ipc

CVE-2022-25867 Vulnerability in maven package io.socket:socket.io-client

CVE-2020-7701 Vulnerability in npm package madlib-object-utils

CVE-2017-7672 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2021-41182 Vulnerability in maven package org.webjars.bower:jquery-ui

Severity

Critical

Classification

CWE-611 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory Patch