VDB
CVE-2021-32796
CVE-2021-32796
PUBLISHED
xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.
EPSS 1.15% · 78.8th percentile
Risk Scores
EPSS Score
1.15%
78.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:24.04:LTS | node-xmldom | 0.8.6-1, 0 |
| Ubuntu:25.10 | node-xmldom | 0, 0.9.6-1 |
| Ubuntu:20.04:LTS | node-xmldom | 0.1.27+ds-1+deb10u2build0.20.04.1, 0.1.27+ds-1, 0 |
Exploit Intelligence
Timeline
- Jul 27, 2021 CVE Published
- Jul 28, 2021 EPSS Score
- Sep 25, 2021 EPSS Score
- Nov 23, 2021 EPSS Score
- Jan 22, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Mar 22, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Apr 25, 2022 CVE Updated
- Jul 19, 2022 EPSS Score
- Sep 16, 2022 EPSS Score
- Nov 14, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2021-32796 third-party-advisory
- https://github.com/xmldom/xmldom/security/advisories/GHSA-5fg8-2547-mr8q third-party-advisory
- https://github.com/xmldom/xmldom/commit/7b4b743917a892d407356e055b296dcd6d107e8b third-party-advisory
- https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/ third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2021-32796 third-party-advisory