Bug 2257732 (CVE-2021-23445) - CVE-2021-23445 datatables.net: contents of array not escaped by HTML escape entities function
Summary: CVE-2021-23445 datatables.net: contents of array not escaped by HTML escape e...
Keywords:
Status: NEW
Alias: CVE-2021-23445
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2257736
Blocks: 2257734
TreeView+ depends on / blocked
 
Reported: 2024-01-10 16:17 UTC by ybuenos
Modified: 2024-02-07 13:09 UTC (History)
46 users (show)

Fixed In Version: datatables.net 1.11.3
Doc Type: If docs needed, set a value
Doc Text:
An improper neutralization of input vulnerability was found in datatables.net. If an array is passed to the HTML escape entities function, it does not have its contents escaped, possibly leading to cross site scripting (XSS).
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description ybuenos 2024-01-10 16:17:39 UTC 
This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped.

https://snyk.io/vuln/SNYK-JS-DATATABLESNET-1540544
https://github.com/DataTables/Dist-DataTables/commit/59a8d3f8a3c1138ab08704e783bc52bfe88d7c9b
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1715376
https://cdn.datatables.net/1.11.3/
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1715371
https://lists.debian.org/debian-lts-announce/2023/08/msg00018.html
Note You need to log in before you can comment on or make changes to this bug.