Vulnerability Description
Bad validation logic in the Dart SDK versions prior to 2.12.3 allow an attacker to use an XSS attack via DOM clobbering. The validation logic in dart:html for creating DOM nodes from text did not sanitize properly when it came across template tags.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dart | Dart Software Development Kit | < 2.12.3 |
Related Weaknesses (CWE)
References
- https://github.com/dart-lang/sdk/commit/ce5a1c2392debce967415d4c09359ff2555e3588PatchThird Party Advisory
- https://github.com/dart-lang/sdk/security/advisories/GHSA-3rfv-4jvg-9522Broken Link
- https://github.com/dart-lang/sdk/commit/ce5a1c2392debce967415d4c09359ff2555e3588PatchThird Party Advisory
- https://github.com/dart-lang/sdk/security/advisories/GHSA-3rfv-4jvg-9522Broken Link
FAQ
What is CVE-2021-22540?
CVE-2021-22540 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Bad validation logic in the Dart SDK versions prior to 2.12.3 allow an attacker to use an XSS attack via DOM clobbering. The validation logic in dart:html for creating DOM nodes from text did not sani...
How severe is CVE-2021-22540?
CVE-2021-22540 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-22540?
Check the references section above for vendor advisories and patch information. Affected products include: Dart Dart Software Development Kit.