Vulnerability Description
xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xmldom Project | Xmldom | < 0.7.0 |
Related Weaknesses (CWE)
References
- https://github.com/xmldom/xmldom/commit/7b4b743917a892d407356e055b296dcd6d107e8bPatchThird Party Advisory
- https://github.com/xmldom/xmldom/security/advisories/GHSA-5fg8-2547-mr8qThird Party Advisory
- https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/Not ApplicableThird Party Advisory
- https://github.com/xmldom/xmldom/commit/7b4b743917a892d407356e055b296dcd6d107e8bPatchThird Party Advisory
- https://github.com/xmldom/xmldom/security/advisories/GHSA-5fg8-2547-mr8qThird Party Advisory
- https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/Not ApplicableThird Party Advisory
FAQ
What is CVE-2021-32796?
CVE-2021-32796 is a vulnerability with a CVSS score of 6.5 (MEDIUM). xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when s...
How severe is CVE-2021-32796?
CVE-2021-32796 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-32796?
Check the references section above for vendor advisories and patch information. Affected products include: Xmldom Project Xmldom.