PT-2020-13811 · Owasp · Owasp Json-Sanitizer

Fabian Henneke

Published

2020-06-09

Updated

2022-02-10

CVE-2020-13973

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions OWASP json-sanitizer versions prior to 1.2.1

Description The issue allows an attacker who controls a substring of the input JSON, and controls another substring adjacent to a SCRIPT element in which the output is embedded as JavaScript, to potentially confuse the HTML parser as to where the SCRIPT element ends. This could cause non-script content to be interpreted as JavaScript, leading to a cross-site scripting (XSS) attack.

Recommendations For OWASP json-sanitizer versions prior to 1.2.1, update to version 1.2.1 or later to resolve the issue.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2020-13973

GHSA-G8JJ-899Q-8X3J

Affected Products

Owasp Json-Sanitizer

PT-2020-13811 · Owasp · Owasp Json-Sanitizer

CVE-2020-13973

Weakness Enumeration

Related Identifiers

Affected Products

References · 5