CVE-2021-21366

low-risk
Published 2021-03-12

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.

Do I need to act?

-
0.57% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.3/10 Medium
NETWORK / LOW complexity

Affected Products (2)

Xmldom

Affected Vendors

Debian Xmldom Project

References (10)

Patch https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135
Release Notes https://github.com/xmldom/xmldom/releases/tag/0.5.0
Vendor Advisory https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv
Mailing List https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html
Product https://www.npmjs.com/package/xmldom
Patch https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135
Release Notes https://github.com/xmldom/xmldom/releases/tag/0.5.0
Vendor Advisory https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv
Mailing List https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html
Product https://www.npmjs.com/package/xmldom
27
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 2/34 · Minimal
Exposure 7/34 · Low