GitHub Advisory DatabaseGHSA-QXG5-2QFF-P49RPassing in a non-string 'html' argument can lead to unsanitized output
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS
Percentile
48.3%
A type-confusion vulnerability can cause striptags to concatenate unsanitized strings when an array-like object is passed in as the html parameter. This can be abused by an attacker who can control the shape of their input, e.g. if query parameters are passed directly into the function.
Impact
XSS
Patches
3.2.0
Workarounds
Ensure that the html parameter is a string before calling the function.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| striptags_project | striptags | * | cpe:2.3:a:striptags_project:striptags:*:*:*:*:*:node.js:*:* |
References
github.com/advisories/GHSA-qxg5-2qff-p49r
github.com/ericnorris/striptags/commit/f252a6b0819499cd65403707ebaf5cc925f2faca
github.com/ericnorris/striptags/releases/tag/v3.2.0
github.com/ericnorris/striptags/security/advisories/GHSA-qxg5-2qff-p49r
nvd.nist.gov/vuln/detail/CVE-2021-32696
www.npmjs.com/package/striptags
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS
Percentile
48.3%