CVE-2021-32696 Passing in a non-string 'html' argument can lead to unsanitized output

2021-06-1819:35:13

CWE-241

CWE-79

GitHub_M

www.cve.org

security vulnerability

striptags

npm package

type-confusion

unsanitized output

xss

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

48.3%

JSON

The npm package “striptags” is an implementation of PHP’s strip_tags in Typescript. In striptags before version 3.2.0, a type-confusion vulnerability can cause striptags to concatenate unsanitized strings when an array-like object is passed in as the html parameter. This can be abused by an attacker who can control the shape of their input, e.g. if query parameters are passed directly into the function. This can lead to a XSS.

CNA Affected

[
  {
    "product": "striptags",
    "vendor": "ericnorris",
    "versions": [
      {
        "status": "affected",
        "version": "< 3.2.0"
      }
    ]
  }
]