CVE-2021-23342

HIGH

docsify < 4.12.0 - Stored Cross-Site Scripting via Sidebar HTML Injection

Title source: llm
STIX 2.1

Description

This affects the package docsify before 4.12.0. It is possible to bypass the remediation done by CVE-2020-7680 and execute malicious JavaScript through the following methods 1) When parsing HTML from remote URLs, the HTML code on the main page is sanitized, but this sanitization is not taking place in the sidebar. 2) The isURL external check can be bypassed by inserting more “////” characters

References (5)

Core 5
Core References
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-DOCSIFY-1066017
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1076593
Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2021/Feb/71

Scores

CVSS v3 8.6
EPSS 0.0166
EPSS Percentile 73.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Details

CWE
CWE-79
Status published
Products (2)
docsifyjs/docsify < 4.12.0
npm/docsify 0 - 4.12.0npm
Published Feb 19, 2021
Tracked Since Feb 18, 2026