CVE-2021-23445

low-risk
Published 2021-09-27

This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped.

Do I need to act?

-
0.38% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.1/10 Low
NETWORK / HIGH complexity

Affected Products (1)

Datatables.Net

Affected Vendors

Datatables

References (14)

Release Notes https://cdn.datatables.net/1.11.3/
Patch https://github.com/DataTables/Dist-DataTables/commit/59a8d3f8a3c1138ab08704e783b...
https://lists.debian.org/debian-lts-announce/2023/08/msg00018.html
https://security.netapp.com/advisory/ntap-20240621-0006/
Exploit https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1715371
Exploit https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1715376
Exploit https://snyk.io/vuln/SNYK-JS-DATATABLESNET-1540544
Release Notes https://cdn.datatables.net/1.11.3/
Patch https://github.com/DataTables/Dist-DataTables/commit/59a8d3f8a3c1138ab08704e783b...
https://lists.debian.org/debian-lts-announce/2023/08/msg00018.html
https://security.netapp.com/advisory/ntap-20240621-0006/
Exploit https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1715371
Exploit https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1715376
Exploit https://snyk.io/vuln/SNYK-JS-DATATABLESNET-1540544
17
/ 100
low-risk
Severity 11/34 · Low
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal