Description
This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped.
References (7)
Core 7
Core References
Mailing List mailing-list
https://lists.debian.org/debian-lts-announce/2023/08/msg00018.html
Release Notes, Vendor Advisory
https://cdn.datatables.net/1.11.3/
Patch, Third Party Advisory
https://github.com/DataTables/Dist-DataTables/commit/59a8d3f8a3c1138ab08704e783bc52bfe88d7c9b
Exploit, Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1715371
Exploit, Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1715376
Exploit, Third Party Advisory
https://snyk.io/vuln/SNYK-JS-DATATABLESNET-1540544
Vendor Advisory
https://security.netapp.com/advisory/ntap-20240621-0006/
Scores
CVSS v3
3.1
EPSS
0.0035
EPSS Percentile
57.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
datatables/datatables.net
< 1.11.3
npm/datatables.net
0 - 1.11.3npm
Published
Sep 27, 2021
Tracked Since
Feb 18, 2026