Plataforma
nodejs
Componente
striptags
Corrigido em
3.2.1
3.2.0
CVE-2021-32696 describes a type-confusion vulnerability found in the striptags Node.js package. This flaw allows an attacker to potentially trigger cross-site scripting (XSS) by manipulating the input passed to the striptags function. The vulnerability affects versions prior to 3.2.0 and can be exploited if query parameters are directly passed into the function without proper sanitization. A fix is available in version 3.2.0.
The core impact of CVE-2021-32696 is the potential for cross-site scripting (XSS). An attacker can exploit this vulnerability by crafting malicious input that, when processed by striptags, results in the concatenation of unsanitized strings. This concatenated string can then be injected into a web page, allowing the attacker to execute arbitrary JavaScript code in the victim's browser. The attacker could steal session cookies, redirect users to phishing sites, or deface the website. The blast radius depends on the application's usage of striptags and the sensitivity of the data handled by the application. If user-supplied data is directly used in HTML output after being processed by striptags without proper escaping, the risk is significantly higher.
CVE-2021-32696 was publicly disclosed on June 18, 2021. There is no indication of active exploitation campaigns targeting this vulnerability. Public proof-of-concept exploits are available, demonstrating the feasibility of exploiting the type-confusion flaw. The vulnerability is not currently listed on the CISA KEV catalog. The LOW CVSS score reflects the relatively limited impact and ease of mitigation.
Applications that rely on the striptags Node.js package for sanitizing HTML input are at risk. This includes web applications that accept user-provided HTML content, such as forums, blog comment systems, or content management systems. Specifically, applications that directly use the output of striptags in HTML without further escaping are particularly vulnerable.
• nodejs / server:
npm list striptagsThis command will list installed versions of striptags. Check if the version is less than 3.2.0.
• nodejs / server:
grep -r 'striptags(' /path/to/your/appSearch your codebase for calls to the striptags function. Review these calls to ensure proper input validation.
• generic web:
Review application logs for unusual patterns or errors related to the striptags package. Look for instances where user-supplied data is directly injected into HTML output.
disclosure
Status do Exploit
EPSS
0.29% (percentil 53%)
Vetor CVSS
The primary mitigation for CVE-2021-32696 is to upgrade the striptags package to version 3.2.0 or later. This version includes a fix that addresses the type-confusion vulnerability. If upgrading is not immediately feasible, a workaround involves ensuring that the html parameter passed to the striptags function is always a string. This can be achieved by explicitly casting the input to a string before calling the function. Additionally, implement robust input validation and sanitization practices throughout your application to prevent the injection of malicious code. After upgrading, confirm the fix by attempting to trigger the vulnerability with crafted input and verifying that it is no longer exploitable.
Atualize a dependência striptags para a versão 3.2.0 ou superior. Isso corrigirá a vulnerabilidade de confusão de tipo que pode levar a XSS. Execute `npm install striptags@latest` ou `yarn upgrade striptags@latest` para atualizar.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2021-32696 is a type-confusion vulnerability in the striptags Node.js package that can lead to XSS if an array-like object is passed as the 'html' parameter.
You are affected if you are using a version of striptags prior to 3.2.0 and are passing user-controlled data directly into the function without proper validation.
Upgrade the striptags package to version 3.2.0 or later. Alternatively, ensure the 'html' parameter is always a string before calling the function.
There is no current evidence of active exploitation campaigns targeting CVE-2021-32696, but public proof-of-concept exploits exist.
Refer to the striptags project's GitHub repository for details and updates: https://github.com/luxon/striptags/issues/71
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.