Vulnerabilities > CVE-2021-32696 - Type Confusion vulnerability in Striptags Project Striptags

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

NONE

network

low complexity

striptags-project

CWE-843

NVD

Published: 2021-06-18

Updated: 2021-06-24

Summary

The npm package "striptags" is an implementation of PHP's strip_tags in Typescript. In striptags before version 3.2.0, a type-confusion vulnerability can cause `striptags` to concatenate unsanitized strings when an array-like object is passed in as the `html` parameter. This can be abused by an attacker who can control the shape of their input, e.g. if query parameters are passed directly into the function. This can lead to a XSS.

Vulnerable Configurations

Part	Description	Count
Application	Striptags_Project Striptags Project Striptags - Striptags Project Striptags 1.0.0 Striptags Project Striptags 2.0.0 Striptags Project Striptags 2.0.1 Striptags Project Striptags 2.0.2 Striptags Project Striptags 2.0.3 Striptags Project Striptags 2.0.4 Striptags Project Striptags 2.1.0 Striptags Project Striptags 2.1.1 Striptags Project Striptags 2.1.2 Striptags Project Striptags 2.2.0 Striptags Project Striptags 2.2.1 Striptags Project Striptags 3.0.0 Striptags Project Striptags 3.0.1 Striptags Project Striptags 3.1.0 Striptags Project Striptags 3.1.1	16

Common Weakness Enumeration (CWE)

CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References