Description

OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and CDATA section delimiters for crafted input. This allows an attacker to inject arbitrary HTML or XML into embedding documents.

Remediation

References

https://github.com/OWASP/json-sanitizer/commit/a37f594f7378a1c76b3283e0dab9e1ab1dc0247e

https://github.com/OWASP/json-sanitizer/compare/v1.2.1...v1.2.2

https://groups.google.com/g/json-sanitizer-support/c/dAW1AeNMoA0

Related Vulnerabilities

CVE-2022-39299 Vulnerability in npm package passport-saml

CVE-2021-3377 Vulnerability in npm package ansi_up

CVE-2022-23305 Vulnerability in maven package log4j:log4j

CVE-2022-24377 Vulnerability in npm package cycle-import-check

CVE-2021-21353 Vulnerability in maven package org.webjars.npm:pug-code-gen

Severity

Critical

Classification

CWE-611 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory