CVE-2021-23342
HIGHdocsify < 4.12.0 - Stored Cross-Site Scripting via Sidebar HTML Injection
Title source: llmDescription
This affects the package docsify before 4.12.0. It is possible to bypass the remediation done by CVE-2020-7680 and execute malicious JavaScript through the following methods 1) When parsing HTML from remote URLs, the HTML code on the main page is sanitized, but this sanitization is not taking place in the sidebar. 2) The isURL external check can be bypassed by inserting more “////” characters
References (5)
Core 5
Core References
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-DOCSIFY-1066017
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1076593
Patch, Third Party Advisory x_refsource_misc
https://github.com/docsifyjs/docsify/commit/ff2a66f12752471277fe81a64ad6c4b2c08111fe
Mailing List, Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2021/Feb/71
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.com/files/161495/docsify-4.11.6-Cross-Site-Scripting.html
Scores
CVSS v3
8.6
EPSS
0.0166
EPSS Percentile
73.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Details
CWE
CWE-79
Status
published
Products (2)
docsifyjs/docsify
< 4.12.0
npm/docsify
0 - 4.12.0npm
Published
Feb 19, 2021
Tracked Since
Feb 18, 2026