CVE-2020-8923
5.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Summary
An improper HTML sanitization in Dart versions up to and including 2.7.1 and dev versions 2.8.0-dev.16.0, allows an attacker leveraging DOM Clobbering techniques to skip the sanitization and inject custom html/javascript (XSS). Mitigation: update your Dart SDK to 2.7.2, and 2.8.0-dev.17.0 for the dev version. If you cannot update, we recommend you review the way you use the affected APIs, and pay special attention to cases where user-provided data is used to populate DOM nodes. Consider using Element.innerText or Node.text to populate DOM elements.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Dart SDK | stable <= 2.7.1 | affected | |
| Dart SDK | dev <= 2.8.0-dev.16.0 | affected |
Weaknesses
- CWE-79: CWE-79 Cross-site Scripting (XSS)
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.