1. Home
  2. CVE Database
  3. CVE-2020-8923
MEDIUM · 5.4

CVE-2020-8923

An improper HTML sanitization in Dart versions up to and including 2.7.1 and dev versions 2.8.0-dev.16.0, allows an attacker leveraging DOM Clobbering techniques to skip the sanitization and inject cu...

Vulnerability Description

An improper HTML sanitization in Dart versions up to and including 2.7.1 and dev versions 2.8.0-dev.16.0, allows an attacker leveraging DOM Clobbering techniques to skip the sanitization and inject custom html/javascript (XSS). Mitigation: update your Dart SDK to 2.7.2, and 2.8.0-dev.17.0 for the dev version. If you cannot update, we recommend you review the way you use the affected APIs, and pay special attention to cases where user-provided data is used to populate DOM nodes. Consider using Element.innerText or Node.text to populate DOM elements.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE

Affected Products

VendorProductVersions
DartDart Software Development Kit< 2.7.2

Related Weaknesses (CWE)

CWE-79

References

FAQ

What is CVE-2020-8923?

CVE-2020-8923 is a vulnerability with a CVSS score of 5.4 (MEDIUM). An improper HTML sanitization in Dart versions up to and including 2.7.1 and dev versions 2.8.0-dev.16.0, allows an attacker leveraging DOM Clobbering techniques to skip the sanitization and inject cu...

How severe is CVE-2020-8923?

CVE-2020-8923 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-8923?

Check the references section above for vendor advisories and patch information. Affected products include: Dart Dart Software Development Kit.