Description
OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and CDATA section delimiters for crafted input. This allows an attacker to inject arbitrary HTML or XML into embedding documents.
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/OWASP/json-sanitizer/compare/v1.2.1...v1.2.2
Third Party Advisory x_refsource_misc
https://groups.google.com/g/json-sanitizer-support/c/dAW1AeNMoA0
Patch, Third Party Advisory x_refsource_misc
https://github.com/OWASP/json-sanitizer/commit/a37f594f7378a1c76b3283e0dab9e1ab1dc0247e
Scores
CVSS v3
9.8
EPSS
0.0044
EPSS Percentile
63.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-611
Status
published
Products (2)
com.mikesamuel/json-sanitizer
0 - 1.2.2Maven
owasp/json-sanitizer
< 1.2.2
Published
Jan 13, 2021
Tracked Since
Feb 18, 2026