CVE-2021-23342 — HIGH (8.6)

Q: How severe is CVE-2021-23342?

CVE-2021-23342 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-23342?

Check the references section above for vendor advisories and patch information. Affected products include: Docsifyjs Docsify.

Vulnerability Description

This affects the package docsify before 4.12.0. It is possible to bypass the remediation done by CVE-2020-7680 and execute malicious JavaScript through the following methods 1) When parsing HTML from remote URLs, the HTML code on the main page is sanitized, but this sanitization is not taking place in the sidebar. 2) The isURL external check can be bypassed by inserting more “////” characters

CVSS Score

8.6

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Docsifyjs	Docsify	< 4.12.0

Related Weaknesses (CWE)

CWE-79

References

http://packetstormsecurity.com/files/161495/docsify-4.11.6-Cross-Site-Scripting.ExploitThird Party Advisory
http://seclists.org/fulldisclosure/2021/Feb/71Mailing ListThird Party Advisory
https://github.com/docsifyjs/docsify/commit/ff2a66f12752471277fe81a64ad6c4b2c081PatchThird Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1076593ExploitThird Party Advisory
https://snyk.io/vuln/SNYK-JS-DOCSIFY-1066017ExploitThird Party Advisory
http://packetstormsecurity.com/files/161495/docsify-4.11.6-Cross-Site-Scripting.ExploitThird Party Advisory
http://seclists.org/fulldisclosure/2021/Feb/71Mailing ListThird Party Advisory
https://github.com/docsifyjs/docsify/commit/ff2a66f12752471277fe81a64ad6c4b2c081PatchThird Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1076593ExploitThird Party Advisory
https://snyk.io/vuln/SNYK-JS-DOCSIFY-1066017ExploitThird Party Advisory

FAQ

What is CVE-2021-23342?

CVE-2021-23342 is a vulnerability with a CVSS score of 8.6 (HIGH). This affects the package docsify before 4.12.0. It is possible to bypass the remediation done by CVE-2020-7680 and execute malicious JavaScript through the following methods 1) When parsing HTML from ...

How severe is CVE-2021-23342?

CVE-2021-23342 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-23342?

Check the references section above for vendor advisories and patch information. Affected products include: Docsifyjs Docsify.