CVE-2021-22540 (GCVE-0-2021-22540)
Vulnerability from cvelistv5
Published
2021-04-22 14:15
Modified
2024-08-03 18:44
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation
Summary
Bad validation logic in the Dart SDK versions prior to 2.12.3 allow an attacker to use an XSS attack via DOM clobbering. The validation logic in dart:html for creating DOM nodes from text did not sanitize properly when it came across template tags.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Google LLC | Dart SDK |
Version: stable < 2.12.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:44:14.025Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/dart-lang/sdk/security/advisories/GHSA-3rfv-4jvg-9522"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/dart-lang/sdk/commit/ce5a1c2392debce967415d4c09359ff2555e3588"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Dart SDK",
"vendor": "Google LLC",
"versions": [
{
"lessThan": "2.12.3",
"status": "affected",
"version": "stable",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vincenzo di Cicco"
}
],
"descriptions": [
{
"lang": "en",
"value": "Bad validation logic in the Dart SDK versions prior to 2.12.3 allow an attacker to use an XSS attack via DOM clobbering. The validation logic in dart:html for creating DOM nodes from text did not sanitize properly when it came across template tags."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-22T14:15:17",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dart-lang/sdk/security/advisories/GHSA-3rfv-4jvg-9522"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dart-lang/sdk/commit/ce5a1c2392debce967415d4c09359ff2555e3588"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "XSS in Dart SDK",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@google.com",
"ID": "CVE-2021-22540",
"STATE": "PUBLIC",
"TITLE": "XSS in Dart SDK"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Dart SDK",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "stable",
"version_value": "2.12.3"
}
]
}
}
]
},
"vendor_name": "Google LLC"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vincenzo di Cicco"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Bad validation logic in the Dart SDK versions prior to 2.12.3 allow an attacker to use an XSS attack via DOM clobbering. The validation logic in dart:html for creating DOM nodes from text did not sanitize properly when it came across template tags."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/dart-lang/sdk/security/advisories/GHSA-3rfv-4jvg-9522",
"refsource": "CONFIRM",
"url": "https://github.com/dart-lang/sdk/security/advisories/GHSA-3rfv-4jvg-9522"
},
{
"name": "https://github.com/dart-lang/sdk/commit/ce5a1c2392debce967415d4c09359ff2555e3588",
"refsource": "CONFIRM",
"url": "https://github.com/dart-lang/sdk/commit/ce5a1c2392debce967415d4c09359ff2555e3588"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2021-22540",
"datePublished": "2021-04-22T14:15:17",
"dateReserved": "2021-01-05T00:00:00",
"dateUpdated": "2024-08-03T18:44:14.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2021-22540\",\"sourceIdentifier\":\"cve-coordination@google.com\",\"published\":\"2021-04-22T15:15:07.930\",\"lastModified\":\"2024-11-21T05:50:18.160\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Bad validation logic in the Dart SDK versions prior to 2.12.3 allow an attacker to use an XSS attack via DOM clobbering. The validation logic in dart:html for creating DOM nodes from text did not sanitize properly when it came across template tags.\"},{\"lang\":\"es\",\"value\":\"Una mala l\u00f3gica de comprobaci\u00f3n en el Dart SDK versiones anteriores a 2.12.3 permite a un atacante usar un ataque de tipo XSS por medio de DOM clobbering.\u0026#xa0;La l\u00f3gica de comprobaci\u00f3n en dart: html para crear nodos DOM a partir de texto no se saneaban apropiadamente cuando se encontraba con etiquetas de plantilla\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"cve-coordination@google.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dart:dart_software_development_kit:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.12.3\",\"matchCriteriaId\":\"E9ECB219-E894-4499-9918-2199CA9532EA\"}]}]}],\"references\":[{\"url\":\"https://github.com/dart-lang/sdk/commit/ce5a1c2392debce967415d4c09359ff2555e3588\",\"source\":\"cve-coordination@google.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/dart-lang/sdk/security/advisories/GHSA-3rfv-4jvg-9522\",\"source\":\"cve-coordination@google.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://github.com/dart-lang/sdk/commit/ce5a1c2392debce967415d4c09359ff2555e3588\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/dart-lang/sdk/security/advisories/GHSA-3rfv-4jvg-9522\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…