CVE-2021-23443
Cross-site Scripting (XSS)
Severity Score
6.1
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
This affects the package edge.js before 5.3.2. A type confusion vulnerability can be used to bypass input sanitization when the input to be rendered is an array (instead of a string or a SafeValue), even if {{ }} are used.
Esto afecta al paquete edge.js versiones anteriores a 5.3.2. Puede ser usada una vulnerabilidad de confusiĆ³n de tipo para omitir el saneamiento de entradas cuando la entrada que se va a representar es una matriz (en lugar de una cadena o un SafeValue), incluso si se usan {{ }}
*Credits:
Alessio Della Libera of Snyk Research Team
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2021-01-08 CVE Reserved
- 2021-09-21 CVE Published
- 2024-04-27 EPSS Updated
- 2024-09-16 CVE Updated
- 2024-09-16 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://snyk.io/vuln/SNYK-JS-EDGEJS-1579556 | 2024-09-16 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/edge-js/edge/commit/fa2c7fde86327aeae232752e89a6e37e2e469e21 | 2022-05-03 |
| URL | Date | SRC |
|---|