Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion
Vulnerability Description
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator ]]> to be inserted into a CDATASection node. During serialization, XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator. As a result, data intended to remain text-only became active XML markup in the serialized output, enabling XML structure injection and downstream business-logic manipulation. This issue has been patched in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and 0.9.9.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Vulnerability Type
XML注入(XPath盲注)
Vulnerability Title
XMLDOM 安全漏洞
Vulnerability Description
XMLDOM是jindw个人开发者的一个 W3C DOM for Node 的 JavaScript 实现。 XMLDOM 0.6.0及之前版本、0.8.12之前版本和0.9.9之前版本存在安全漏洞,该漏洞源于允许攻击者控制的字符串插入CDATASection节点,可能导致XML结构注入和业务逻辑操纵。
CVSS Information
N/A
Vulnerability Type
N/A