QwikSec

Security Database

CVE

CWE

Training

CVE-2021-23342

Published: Feb 19, 2021

Modified: Sep 16, 2024

PUBLISHED

CVSS v3.1

8.6

HIGH

Description

This affects the package docsify before 4.12.0. It is possible to bypass the remediation done by CVE-2020-7680 and execute malicious JavaScript through the following methods 1) When parsing HTML from remote URLs, the HTML code on the main page is sanitized, but this sanitization is not taking place in the sidebar. 2) The isURL external check can be bypassed by inserting more “////” characters

Vendor	Product	Versions
n/a	docsify	affected `unspecified - < 4.12.0`

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:P/RL:U/RC:C

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

Low

References

https://snyk.io/vuln/SNYK-JS-DOCSIFY-1066017

x_refsource_MISC

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1076593

x_refsource_MISC

https://github.com/docsifyjs/docsify/commit/ff2a66f12752471277fe81a64ad6c4b2c08111fe

x_refsource_MISC

20210219 [KIS-2021-02] docsify <= 4.11.6 DOM-based Cross-Site Scripting Vulnerability

mailing-list

x_refsource_FULLDISC

http://packetstormsecurity.com/files/161495/docsify-4.11.6-Cross-Site-Scripting.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.