Vulnerability Description
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ansi Up Project | Ansi Up | < 5.0.0 |
Related Weaknesses (CWE)
References
- https://doyensec.com/resources/Doyensec_Advisory_ansi_up4_XSS.pdfExploitThird Party Advisory
- https://github.com/drudru/ansi_up/commit/c8c726ed1db979bae4f257b7fa41775155ba2e2PatchThird Party Advisory
- https://doyensec.com/resources/Doyensec_Advisory_ansi_up4_XSS.pdfExploitThird Party Advisory
- https://github.com/drudru/ansi_up/commit/c8c726ed1db979bae4f257b7fa41775155ba2e2PatchThird Party Advisory
- https://security.netapp.com/advisory/ntap-20241108-0002/
FAQ
What is CVE-2021-3377?
CVE-2021-3377 is a vulnerability with a CVSS score of 6.1 (MEDIUM). The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by ...
How severe is CVE-2021-3377?
CVE-2021-3377 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-3377?
Check the references section above for vendor advisories and patch information. Affected products include: Ansi Up Project Ansi Up.