Lucene search

GoogleCVE-2020-8923

HistoryMar 26, 2020 - 12:15 p.m.

CVE-2020-8923

2020-03-2612:15:12

CWE-79

Google

web.nvd.nist.gov

cve-2020-8923

html sanitization

xss

dom clobbering

dart sdk

update mitigation

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

33.8%

JSON

An improper HTML sanitization in Dart versions up to and including 2.7.1 and dev versions 2.8.0-dev.16.0, allows an attacker leveraging DOM Clobbering techniques to skip the sanitization and inject custom html/javascript (XSS). Mitigation: update your Dart SDK to 2.7.2, and 2.8.0-dev.17.0 for the dev version. If you cannot update, we recommend you review the way you use the affected APIs, and pay special attention to cases where user-provided data is used to populate DOM nodes. Consider using Element.innerText or Node.text to populate DOM elements.

Affected configurations

Nvd

Vulners

Node

dartdart_software_development_kitRange<2.7.2

dartdart_software_development_kitMatch2.8.0dev0.0

dartdart_software_development_kitMatch2.8.0dev1.0

dartdart_software_development_kitMatch2.8.0dev10.0

dartdart_software_development_kitMatch2.8.0dev11.0

dartdart_software_development_kitMatch2.8.0dev12.0

dartdart_software_development_kitMatch2.8.0dev13.0

dartdart_software_development_kitMatch2.8.0dev14.0

dartdart_software_development_kitMatch2.8.0dev15.0

dartdart_software_development_kitMatch2.8.0dev16.0

dartdart_software_development_kitMatch2.8.0dev2.0

dartdart_software_development_kitMatch2.8.0dev3.0

dartdart_software_development_kitMatch2.8.0dev4.0

dartdart_software_development_kitMatch2.8.0dev5.0

dartdart_software_development_kitMatch2.8.0dev6.0

dartdart_software_development_kitMatch2.8.0dev7.0

dartdart_software_development_kitMatch2.8.0dev8.0

dartdart_software_development_kitMatch2.8.0dev9.0

VendorProductVersionCPE
dartdart_software_development_kit*cpe:2.3:a:dart:dart_software_development_kit:*:*:*:*:*:*:*:*
dartdart_software_development_kit2.8.0cpe:2.3:a:dart:dart_software_development_kit:2.8.0:dev0.0:*:*:*:*:*:*
dartdart_software_development_kit2.8.0cpe:2.3:a:dart:dart_software_development_kit:2.8.0:dev1.0:*:*:*:*:*:*
dartdart_software_development_kit2.8.0cpe:2.3:a:dart:dart_software_development_kit:2.8.0:dev10.0:*:*:*:*:*:*
dartdart_software_development_kit2.8.0cpe:2.3:a:dart:dart_software_development_kit:2.8.0:dev11.0:*:*:*:*:*:*
dartdart_software_development_kit2.8.0cpe:2.3:a:dart:dart_software_development_kit:2.8.0:dev12.0:*:*:*:*:*:*
dartdart_software_development_kit2.8.0cpe:2.3:a:dart:dart_software_development_kit:2.8.0:dev13.0:*:*:*:*:*:*
dartdart_software_development_kit2.8.0cpe:2.3:a:dart:dart_software_development_kit:2.8.0:dev14.0:*:*:*:*:*:*
dartdart_software_development_kit2.8.0cpe:2.3:a:dart:dart_software_development_kit:2.8.0:dev15.0:*:*:*:*:*:*
dartdart_software_development_kit2.8.0cpe:2.3:a:dart:dart_software_development_kit:2.8.0:dev16.0:*:*:*:*:*:*

Vendor	Product	Version	CPE
dart	dart_software_development_kit	*	cpe:2.3:a:dart:dart_software_development_kit::::::::
dart	dart_software_development_kit	2.8.0	cpe:2.3:a:dart:dart_software_development_kit:2.8.0:dev0.0::::::
dart	dart_software_development_kit	2.8.0	cpe:2.3:a:dart:dart_software_development_kit:2.8.0:dev1.0::::::
dart	dart_software_development_kit	2.8.0	cpe:2.3:a:dart:dart_software_development_kit:2.8.0:dev10.0::::::
dart	dart_software_development_kit	2.8.0	cpe:2.3:a:dart:dart_software_development_kit:2.8.0:dev11.0::::::
dart	dart_software_development_kit	2.8.0	cpe:2.3:a:dart:dart_software_development_kit:2.8.0:dev12.0::::::
dart	dart_software_development_kit	2.8.0	cpe:2.3:a:dart:dart_software_development_kit:2.8.0:dev13.0::::::
dart	dart_software_development_kit	2.8.0	cpe:2.3:a:dart:dart_software_development_kit:2.8.0:dev14.0::::::
dart	dart_software_development_kit	2.8.0	cpe:2.3:a:dart:dart_software_development_kit:2.8.0:dev15.0::::::
dart	dart_software_development_kit	2.8.0	cpe:2.3:a:dart:dart_software_development_kit:2.8.0:dev16.0::::::

Rows per page:

1-10 of 181

CNA Affected

[
  {
    "product": "Dart SDK",
    "vendor": "Google",
    "versions": [
      {
        "lessThanOrEqual": "2.7.1",
        "status": "affected",
        "version": "stable",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "2.8.0-dev.16.0",
        "status": "affected",
        "version": "dev",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/dart-lang/sdk/security/advisories/GHSA-hfq3-v9pv-p627

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

33.8%

JSON

Related for CVE-2020-8923