CVE-2021-23445 - OpenCVE

This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Datatables	Datatables.net

Configuration 1 [-]

cpe:2.3:a:datatables:datatables.net:*:*:*:*:*:node.js:*:*

References

Link	Resource
https://cdn.datatables.net/1.11.3/	Release Notes Vendor Advisory
https://github.com/DataTables/Dist-DataTables/commit/59a8d3f8a3c1138ab08704e783bc52bfe88d7c9b	Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/08/msg00018.html
https://security.netapp.com/advisory/ntap-20240621-0006/
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1715371	Exploit Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1715376	Exploit Third Party Advisory
https://snyk.io/vuln/SNYK-JS-DATATABLESNET-1540544	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: snyk

Published: 2021-09-27T00:00:00

Updated: 2024-06-26T19:14:56.106Z

Reserved: 2021-01-08T00:00:00

Link: CVE-2021-23445

JSON object: View

NVD Information

Status : Modified

Published: 2021-09-27T17:15:08.137

Modified: 2024-06-21T19:15:16.693

Link: CVE-2021-23445

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-23445", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "dateUpdated": "2024-06-26T19:14:56.106Z", "dateReserved": "2021-01-08T00:00:00", "datePublished": "2021-09-27T00:00:00"}, "containers": {"cna": {"title": "Cross-site Scripting (XSS)", "datePublic": "2021-09-27T00:00:00", "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-06-21T19:07:03.224059"}, "descriptions": [{"lang": "en", "value": "This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped."}], "affected": [{"vendor": "n/a", "product": "datatables.net", "versions": [{"version": "unspecified", "lessThan": "1.11.3", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://snyk.io/vuln/SNYK-JS-DATATABLESNET-1540544"}, {"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1715371"}, {"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1715376"}, {"url": "https://github.com/DataTables/Dist-DataTables/commit/59a8d3f8a3c1138ab08704e783bc52bfe88d7c9b"}, {"url": "https://cdn.datatables.net/1.11.3/"}, {"name": "[debian-lts-announce] 20230815 [SECURITY] [DLA 3529-1] datatables.js security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00018.html"}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0006/"}], "credits": [{"lang": "en", "value": "Alessio Della Libera of Snyk Research Team"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "baseScore": 3.1, "temporalScore": 3, "baseSeverity": "LOW", "temporalSeverity": "LOW"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Cross-site Scripting (XSS)"}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-26T19:14:48.651246Z", "id": "CVE-2021-23445", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-26T19:14:56.106Z"}}]}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:datatables:datatables.net:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "C4188C3B-D3DD-41BF-8B50-3B779AFFC7E2", "versionEndExcluding": "1.11.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped."}, {"lang": "es", "value": "Esto afecta al paquete datatables.net versiones anteriores a 1.11.3. Si se pasa un array a la funci\u00f3n de entidades de escape de HTML no se escapa su contenido"}], "id": "CVE-2021-23445", "lastModified": "2024-06-21T19:15:16.693", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2021-09-27T17:15:08.137", "references": [{"source": "report@snyk.io", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://cdn.datatables.net/1.11.3/"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/DataTables/Dist-DataTables/commit/59a8d3f8a3c1138ab08704e783bc52bfe88d7c9b"}, {"source": "report@snyk.io", "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00018.html"}, {"source": "report@snyk.io", "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1715371"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1715376"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-DATATABLESNET-1540544"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}