CVE-2021-32696

Passing in a non-string 'html' argument can lead to unsanitized output

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The npm package "striptags" is an implementation of PHP's strip_tags in Typescript. In striptags before version 3.2.0, a type-confusion vulnerability can cause `striptags` to concatenate unsanitized strings when an array-like object is passed in as the `html` parameter. This can be abused by an attacker who can control the shape of their input, e.g. if query parameters are passed directly into the function. This can lead to a XSS.

El paquete npm "striptags" es una implementación de strip_tags de PHP en Typescript. En striptags versiones anteriores a 3.2.0, una vulnerabilidad de confusión de tipos puede causar que "striptags" concatene cadenas no saneadas cuando es pasado un objeto tipo array como el parámetro "html". Esto puede ser abusado por un atacante que pueda controlar la forma de su entrada, por ejemplo, si los parámetros query son pasados directamente a la función. Esto puede conllevar una vulnerabilidad de tipo XSS

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-05-12 CVE Reserved
2021-06-18 CVE Published
2024-03-03 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-241: Improper Handling of Unexpected Data Type
CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')

CAPEC

References (4)

URL	Tag	Source
https://github.com/ericnorris/striptags/releases/tag/v3.2.0	Third Party Advisory
https://github.com/ericnorris/striptags/security/advisories/GHSA-qxg5-2qff-p49r	Third Party Advisory
https://www.npmjs.com/package/striptags	Product

URL	Date	SRC

URL	Date	SRC
https://github.com/ericnorris/striptags/commit/f252a6b0819499cd65403707ebaf5cc925f2faca	2021-06-24

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Striptags Project Search vendor "Striptags Project"		Striptags Search vendor "Striptags Project" for product "Striptags"				< 3.2.0 Search vendor "Striptags Project" for product "Striptags" and version " < 3.2.0"		node.js		Affected