Plattform
nodejs
Komponente
striptags
Behoben in
3.2.1
3.2.0
CVE-2021-32696 describes a type-confusion vulnerability found in the striptags Node.js package. This flaw allows an attacker to potentially trigger cross-site scripting (XSS) by manipulating the input passed to the striptags function. The vulnerability affects versions prior to 3.2.0 and can be exploited if query parameters are directly passed into the function without proper sanitization. A fix is available in version 3.2.0.
The core impact of CVE-2021-32696 is the potential for cross-site scripting (XSS). An attacker can exploit this vulnerability by crafting malicious input that, when processed by striptags, results in the concatenation of unsanitized strings. This concatenated string can then be injected into a web page, allowing the attacker to execute arbitrary JavaScript code in the victim's browser. The attacker could steal session cookies, redirect users to phishing sites, or deface the website. The blast radius depends on the application's usage of striptags and the sensitivity of the data handled by the application. If user-supplied data is directly used in HTML output after being processed by striptags without proper escaping, the risk is significantly higher.
CVE-2021-32696 was publicly disclosed on June 18, 2021. There is no indication of active exploitation campaigns targeting this vulnerability. Public proof-of-concept exploits are available, demonstrating the feasibility of exploiting the type-confusion flaw. The vulnerability is not currently listed on the CISA KEV catalog. The LOW CVSS score reflects the relatively limited impact and ease of mitigation.
Applications that rely on the striptags Node.js package for sanitizing HTML input are at risk. This includes web applications that accept user-provided HTML content, such as forums, blog comment systems, or content management systems. Specifically, applications that directly use the output of striptags in HTML without further escaping are particularly vulnerable.
• nodejs / server:
npm list striptagsThis command will list installed versions of striptags. Check if the version is less than 3.2.0.
• nodejs / server:
grep -r 'striptags(' /path/to/your/appSearch your codebase for calls to the striptags function. Review these calls to ensure proper input validation.
• generic web:
Review application logs for unusual patterns or errors related to the striptags package. Look for instances where user-supplied data is directly injected into HTML output.
disclosure
Exploit-Status
EPSS
0.29% (53% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2021-32696 is to upgrade the striptags package to version 3.2.0 or later. This version includes a fix that addresses the type-confusion vulnerability. If upgrading is not immediately feasible, a workaround involves ensuring that the html parameter passed to the striptags function is always a string. This can be achieved by explicitly casting the input to a string before calling the function. Additionally, implement robust input validation and sanitization practices throughout your application to prevent the injection of malicious code. After upgrading, confirm the fix by attempting to trigger the vulnerability with crafted input and verifying that it is no longer exploitable.
Aktualisieren Sie die striptags-Abhängigkeit auf Version 3.2.0 oder höher. Dies behebt die Type-Confusion-Schwachstelle, die zu XSS führen kann. Führen Sie `npm install striptags@latest` oder `yarn upgrade striptags@latest` aus, um zu aktualisieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2021-32696 is a type-confusion vulnerability in the striptags Node.js package that can lead to XSS if an array-like object is passed as the 'html' parameter.
You are affected if you are using a version of striptags prior to 3.2.0 and are passing user-controlled data directly into the function without proper validation.
Upgrade the striptags package to version 3.2.0 or later. Alternatively, ensure the 'html' parameter is always a string before calling the function.
There is no current evidence of active exploitation campaigns targeting CVE-2021-32696, but public proof-of-concept exploits exist.
Refer to the striptags project's GitHub repository for details and updates: https://github.com/luxon/striptags/issues/71
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.