{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-23445", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "dateUpdated": "2024-09-16T18:39:20.468Z", "dateReserved": "2021-01-08T00:00:00", "datePublished": "2021-09-27T16:35:18.234764Z"}, "containers": {"cna": {"title": "Cross-site Scripting (XSS)", "datePublic": "2021-09-27T00:00:00", "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-06-21T19:07:03.224059"}, "descriptions": [{"lang": "en", "value": "This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped."}], "affected": [{"vendor": "n/a", "product": "datatables.net", "versions": [{"version": "unspecified", "lessThan": "1.11.3", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://snyk.io/vuln/SNYK-JS-DATATABLESNET-1540544"}, {"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1715371"}, {"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1715376"}, {"url": "https://github.com/DataTables/Dist-DataTables/commit/59a8d3f8a3c1138ab08704e783bc52bfe88d7c9b"}, {"url": "https://cdn.datatables.net/1.11.3/"}, {"name": "[debian-lts-announce] 20230815 [SECURITY] [DLA 3529-1] datatables.js security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00018.html"}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0006/"}], "credits": [{"lang": "en", "value": "Alessio Della Libera of Snyk Research Team"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "baseScore": 3.1, "temporalScore": 3, "baseSeverity": "LOW", "temporalSeverity": "LOW"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Cross-site Scripting (XSS)"}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-26T19:14:48.651246Z", "id": "CVE-2021-23445", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-26T19:14:56.106Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:05:55.898Z"}, "title": "CVE Program Container", "references": [{"url": "https://snyk.io/vuln/SNYK-JS-DATATABLESNET-1540544", "tags": ["x_transferred"]}, {"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1715371", "tags": ["x_transferred"]}, {"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1715376", "tags": ["x_transferred"]}, {"url": "https://github.com/DataTables/Dist-DataTables/commit/59a8d3f8a3c1138ab08704e783bc52bfe88d7c9b", "tags": ["x_transferred"]}, {"url": "https://cdn.datatables.net/1.11.3/", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20230815 [SECURITY] [DLA 3529-1] datatables.js security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00018.html"}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0006/", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://snyk.io/vuln/SNYK-JS-DATATABLESNET-1540544", "tags": ["x_transferred"]}, {"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1715371", "tags": ["x_transferred"]}, {"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1715376", "tags": ["x_transferred"]}, {"url": "https://github.com/DataTables/Dist-DataTables/commit/59a8d3f8a3c1138ab08704e783bc52bfe88d7c9b", "tags": ["x_transferred"]}, {"url": "https://cdn.datatables.net/1.11.3/", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00018.html", "name": "[debian-lts-announce] 20230815 [SECURITY] [DLA 3529-1] datatables.js security update", "tags": ["mailing-list", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0006/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:05:55.898Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-23445", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-26T19:14:48.651246Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-26T19:14:52.718Z"}}], "cna": {"title": "Cross-site Scripting (XSS)", "credits": [{"lang": "en", "value": "Alessio Della Libera of Snyk Research Team"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P", "temporalScore": 3, "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "temporalSeverity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "n/a", "product": "datatables.net", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "1.11.3", "versionType": "custom"}]}], "datePublic": "2021-09-27T00:00:00", "references": [{"url": "https://snyk.io/vuln/SNYK-JS-DATATABLESNET-1540544"}, {"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1715371"}, {"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1715376"}, {"url": "https://github.com/DataTables/Dist-DataTables/commit/59a8d3f8a3c1138ab08704e783bc52bfe88d7c9b"}, {"url": "https://cdn.datatables.net/1.11.3/"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00018.html", "name": "[debian-lts-announce] 20230815 [SECURITY] [DLA 3529-1] datatables.js security update", "tags": ["mailing-list"]}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0006/"}], "descriptions": [{"lang": "en", "value": "This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Cross-site Scripting (XSS)"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-06-21T19:07:03.224059"}}}, "cveMetadata": {"cveId": "CVE-2021-23445", "state": "PUBLISHED", "dateUpdated": "2024-09-16T18:39:20.468Z", "dateReserved": "2021-01-08T00:00:00", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2021-09-27T16:35:18.234764Z", "assignerShortName": "snyk"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:datatables:datatables.net:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "C4188C3B-D3DD-41BF-8B50-3B779AFFC7E2", "versionEndExcluding": "1.11.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped."}, {"lang": "es", "value": "Esto afecta al paquete datatables.net versiones anteriores a 1.11.3. Si se pasa un array a la funci\u00f3n de entidades de escape de HTML no se escapa su contenido"}], "id": "CVE-2021-23445", "lastModified": "2024-06-21T19:15:16.693", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2021-09-27T17:15:08.137", "references": [{"source": "report@snyk.io", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://cdn.datatables.net/1.11.3/"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/DataTables/Dist-DataTables/commit/59a8d3f8a3c1138ab08704e783bc52bfe88d7c9b"}, {"source": "report@snyk.io", "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00018.html"}, {"source": "report@snyk.io", "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1715371"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1715376"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-DATATABLESNET-1540544"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:3563", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package": "datatables.net", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3560", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-apache-cxf-0:3.5.8-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3560", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-hal-console-0:3.3.22-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3560", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-infinispan-0:11.0.19-2.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3560", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jboss-ejb-client-0:4.0.54-3.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3560", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-8.SP08_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3560", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jboss-metadata-0:13.5.0-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3560", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jboss-modules-0:1.12.3-3.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3560", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jboss-server-migration-0:1.10.0-36.Final_redhat_00035.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3560", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-undertow-0:2.2.32-1.SP1_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3560", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-wildfly-0:7.4.17-2.GA_redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3560", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-wildfly-discovery-0:1.2.4-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3560", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-wildfly-elytron-0:1.15.23-2.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3560", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-wildfly-http-client-0:1.1.17-1.Final_redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3560", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-wildfly-transaction-client-0:1.1.19-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3560", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-wss4j-0:2.4.3-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3560", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-xml-security-0:2.3.4-1.redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3561", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-apache-cxf-0:3.5.8-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3561", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-hal-console-0:3.3.22-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3561", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-infinispan-0:11.0.19-2.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3561", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-jboss-ejb-client-0:4.0.54-3.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3561", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-8.SP08_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3561", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-jboss-metadata-0:13.5.0-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3561", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-jboss-modules-0:1.12.3-3.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3561", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-jboss-server-migration-0:1.10.0-36.Final_redhat_00035.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3561", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-undertow-0:2.2.32-1.SP1_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3561", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-wildfly-0:7.4.17-2.GA_redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3561", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-wildfly-discovery-0:1.2.4-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3561", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-wildfly-elytron-0:1.15.23-2.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3561", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-wildfly-http-client-0:1.1.17-1.Final_redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3561", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-wildfly-transaction-client-0:1.1.19-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3561", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-wss4j-0:2.4.3-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3561", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-xml-security-0:2.3.4-1.redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3559", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-hal-console-0:3.3.22-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-06-03T00:00:00Z"}], "bugzilla": {"description": "datatables.net: contents of array not escaped by HTML escape entities function", "id": "2257732", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257732"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-79", "details": ["This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped.", "An improper neutralization of input vulnerability was found in datatables.net. If an array is passed to the HTML escape entities function, it does not have its contents escaped, possibly leading to cross site scripting (XSS)."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2021-23445", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Affected", "package_name": "datatables.net", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/a:redhat:discovery:1.0::el8", "fix_state": "Will not fix", "package_name": "discovery-server-container", "product_name": "Red Hat Discovery"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "cockpit", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "cockpit-appstream", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "datatables.net", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Will not fix", "package_name": "datatables.net", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "datatables.net", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "datatables.net", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "openshift3/ose-console", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Will not fix", "package_name": "datatables.net", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "nodejs-patternfly-react-catalog-view-extension", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/o:redhat:rhev_hypervisor:4", "fix_state": "Will not fix", "package_name": "cockpit-ovirt", "product_name": "Red Hat Virtualization 4"}], "public_date": "2021-09-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-23445\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-23445\nhttps://cdn.datatables.net/1.11.3/"], "statement": "The improper neutralization of input vulnerability in DataTables.net is considered a moderate severity issue because, while it allows for potential cross-site scripting (XSS) attacks, it requires specific conditions to be exploited effectively. An attacker must have the ability to inject malicious input into the system, and the application must pass this input to the HTML escape entities function without proper validation. Although XSS can lead to significant security risks, such as session hijacking and data theft, the impact is somewhat mitigated by the necessity of these preconditions. Moreover, this vulnerability does not compromise the underlying server or database directly, limiting its scope primarily to client-side exploitation.", "threat_severity": "Moderate", "upstream_fix": "datatables.net 1.11.3"}