xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator ]]> to be inserted into a CDATASection node. During serialization, XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator. As a result, data intended to remain text-only became active XML markup in the serialized output, enabling XML structure injection and downstream business-logic manipulation. This issue has been patched in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and 0.9.9.
0.1.27+ds-10.1.27+ds-1+deb10u2build0.20.04.10.5.0-10.7.3-10.7.5-10.7.5-1ubuntu0.22.04.10.8.6-10.9.6-10.9.6-10.9.8-10.9.8-2Exploitability
AV:NAC:LPR:NUI:NScope
S:UImpact
C:NI:HA:NCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N