CVE-2021-23445
Improper Input Validation vulnerability in datatables.net (npm)
What is CVE-2021-23445 About?
This vulnerability in datatables.net before 1.11.3 involves a failure to escape HTML entities when an array is passed to the escape function. This can lead to Cross-Site Scripting (XSS) if malicious content is introduced into the array. Exploitation requires providing a specially crafted array as input.
Affected Software
Technical Details
The vulnerability in datatables.net versions prior to 1.11.3 occurs because the HTML escape entities function does not properly process array inputs. When an array is passed to this function, its contents are not escaped as expected. An attacker can craft an array containing malicious HTML or script tags and provide it as input. If this unescaped array content is then rendered in a web page, it can lead to Cross-Site Scripting (XSS), allowing the attacker to execute arbitrary client-side scripts in the context of the user's browser.
What is the Impact of CVE-2021-23445?
Successful exploitation may allow attackers to execute arbitrary scripts in the victim's browser, hijack user sessions, deface web pages, or redirect users to malicious sites.
What is the Exploitability of CVE-2021-23445?
Exploitation is of low to moderate complexity, requiring the ability to supply an array of data to datatables.net that is subsequently rendered in the HTML. No specific authentication is required if the input can be provided through an unauthenticated interface. This is typically a remote, client-side vulnerability. The primary prerequisite is that the application uses the affected datatables.net version and passes untrusted array data to an HTML-rendering context without prior sanitization. The risk factor increases in applications that display user-generated content in data tables.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-23445?
About the Fix from Resolved Security
The patch updates the HTML escaping function to handle array inputs by joining them into a comma-separated string before escaping, whereas previously only string inputs were sanitized. This fixes CVE-2021-23445 by preventing potential XSS attacks that could occur if arrays containing untrusted data were rendered directly into HTML without proper escaping.
Available Upgrade Options
- datatables.net
- <1.11.3 → Upgrade to 1.11.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://snyk.io/vuln/SNYK-JS-DATATABLESNET-1540544
- https://github.com/DataTables/Dist-DataTables/commit/59a8d3f8a3c1138ab08704e783bc52bfe88d7c9b
- https://cdn.datatables.net/1.11.3
- https://lists.debian.org/debian-lts-announce/2023/08/msg00018.html
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1715376
- https://snyk.io/vuln/SNYK-JS-DATATABLESNET-1540544
- https://github.com/DataTables/Dist-DataTables/commit/59a8d3f8a3c1138ab08704e783bc52bfe88d7c9b
- https://lists.debian.org/debian-lts-announce/2023/08/msg00018.html
- https://osv.dev/vulnerability/GHSA-h73q-5wmj-q8pj
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1715371
What are Similar Vulnerabilities to CVE-2021-23445?
Similar Vulnerabilities: CVE-2020-13763 , CVE-2020-26217 , CVE-2021-23398 , CVE-2021-23429 , CVE-2021-23438
