How severe is CVE-2021-21366?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 4.3 out of 10.

What type of vulnerability is CVE-2021-21366?

This is classified as CWE-115, which is a common weakness in software security.

CVE-2021-21366 - MEDIUM Severity | CVSS 4.3

Vulnerability Description

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.

Related Vulnerabilities

CVE-2018-12123

MEDIUM

CVSS:4.3(Medium)

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL h...

CWE-1152018

CVE-2023-0880

MEDIUM

CVSS:4.3(Medium)

Misinterpretation of Input in GitHub repository thorsten/phpmyfaq prior to 3.1.11.

CWE-1152023

CVE-2025-22870

MEDIUM

CVSS:4.4(Medium)

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1...

CWE-1152025

CVE-2023-32228

MEDIUM

CVSS:4.6(Medium)

A firmware bug which may lead to misinterpretation of data in the AMC2-4WCF and AMC2-2WCF allowing an adversary to grant access to the last authorized user.

CWE-1152023

CVE-2018-7159

MEDIUM

CVSS:5.3(Medium)

The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP spe...

CWE-1152018

CVE-2020-29509

MEDIUM

CVSS:5.6(Medium)

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that b...

CWE-1152020