CVE-2021-23411
Cross-site Scripting (XSS) vulnerability in anchorme (npm)
What is CVE-2021-23411 About?
All versions of the 'anchorme' package are vulnerable to Cross-site Scripting (XSS) via its main functionality. Attackers can inject malicious scripts into web pages that utilize the package, leading to client-side code execution. Exploitation requires user-controlled input being processed by the library.
Affected Software
Technical Details
The vulnerability affects all versions of the 'anchorme' package and stems from insufficient sanitization or encoding of potentially malicious input within its core functionality, specifically when it processes and converts text into clickable links. An attacker can embed carefully crafted script tags or other HTML injection vectors (e.g., event handlers within attributes like onmouseover) into the input text. When this text is processed by 'anchorme' and then rendered in a web browser, the injected malicious script will be executed in the context of the user's browser, leading to a Cross-site Scripting (XSS) attack. This can allow for session hijacking, defacement, or redirection to malicious sites.
What is the Impact of CVE-2021-23411?
Successful exploitation may allow attackers to execute arbitrary scripts in the victim's browser, leading to session hijacking, defacement of web pages, sensitive data theft (e.g., cookies, credentials), and redirection to malicious sites.
What is the Exploitability of CVE-2021-23411?
Exploitation is of moderate complexity. It requires an attacker to be able to provide user-controlled input that is subsequently processed by the 'anchorme' package and rendered on a webpage. This is a remote, client-side attack. No specific authentication or privilege levels are typically required for the attacker on the server side, only the ability to submit data that is then reflected. The primary prerequisite is that the web application uses 'anchorme' to process untrusted user input without proper output encoding. The risk is high in applications that allow user-generated content (e.g., comments, forum posts, profiles) to be processed by 'anchorme' and directly displayed to other users.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-23411?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/alexcorvi/anchorme.js/blob/gh-pages/src/transform.ts%23L81
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1320695
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1320695
- https://github.com/alexcorvi/anchorme.js/blob/gh-pages/src/transform.ts%23L81
- https://snyk.io/vuln/SNYK-JS-ANCHORME-1311008
- https://nvd.nist.gov/vuln/detail/CVE-2021-23411
- https://snyk.io/vuln/SNYK-JS-ANCHORME-1311008
- https://github.com/alexcorvi/anchorme.js/blob/gh-pages/src/transform.ts#23L81
- https://osv.dev/vulnerability/GHSA-w4wq-rvmq-77x7
What are Similar Vulnerabilities to CVE-2021-23411?
Similar Vulnerabilities: CVE-2021-23377 , CVE-2021-23376 , CVE-2021-23375 , CVE-2021-23374 , CVE-2021-23343
