Lucene search
AnonymousNODEJS:1769HistoryAug 03, 2021 - 4:57 p.m.
Misinterpretation of malicious XML input
2021-08-0316:57:27
Anonymous
www.npmjs.com
43
0.001 Low
EPSS
Percentile
35.7%
Overview
Impact
xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications.
Patches
Update to 0.7.0
(see issue #271 for the status of publishing the version to npm or join for Q&A/discussion #270 until it’s resolved)
Workarounds
Downstream applications can validate the input and reject the maliciously crafted documents.
For more information
If you have any questions or comments about this advisory:
- Open an issue in
xmldom/xmldom - Email us: send an email to all addresses that are shown by
npm owner ls xmldom
Recommendation
Upgrade to version 0.7.0 or later
References
Related
redhatcve
redhatcve
CVE-2021-32796
2021-07-29 14:25:41
veracode
veracode
XML Injection
2021-07-29 03:04:59
osv
osv
CVE-2021-32796
2021-07-27 22:15:07
Misinterpretation of malicious XML input
2021-08-03 16:57:05
cvelist
cvelist
CVE-2021-32796 Misinterpretation of malicious XML input in xmldom
2021-07-27 21:45:13
prion
prion
Input validation
2021-07-27 22:15:00
debiancve
debiancve
CVE-2021-32796
2021-07-27 22:15:07
nvd
nvd
CVE-2021-32796
2021-07-27 22:15:07
github
github
Misinterpretation of malicious XML input
2021-08-03 16:57:05
cve
cve
CVE-2021-32796
2021-07-27 22:15:07
ubuntucve
ubuntucve
CVE-2021-32796
2021-07-27 00:00:00
