Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.8
CVSSv3

CVE-2022-39353

Published: 02/11/2022 Updated: 01/03/2023
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 0
Subscribe to Xmldom

Vulnerability Summary

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

xmldom project xmldom 0.9.0

xmldom project xmldom

debian debian linux 10.0

Vendor Advisories

Debian CVElist Bug Report Logs: node-xmldom: CVE-2022-39353
Debian Bug report logs - #1024736 node-xmldom: CVE-2022-39353 Package: src:node-xmldom; Maintainer for src:node-xmldom is Debian Javascript Maintainers <pkg-javascript-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 24 Nov 2022 05:54:02 UTC Severity: important Tags: se ...
Red Hat:
DescriptionThe MITRE CVE dictionary describes this issue as: xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without report ...

Github Repositories

https://github.com/noneisland/bot

ecovacs-deebotjs Library for running Ecovacs Deebot (and also some yeedi) vacuum cleaner robots Installation Information on how to install this library can be found here The minimum required version of Nodejs is 14x It is recommended to use version 14x or 16x Usage Information on how to use this library can be found here Models Fully supported models The fully sup

https://github.com/mrbungle64/ecovacs-deebot.js

A Node.js library for running Ecovacs Deebot and yeedi vacuum cleaner robots

ecovacs-deebotjs Library for running Ecovacs Deebot (and also some yeedi) vacuum cleaner robots Installation Information on how to install this library can be found here The minimum required version of Nodejs is 16x Usage Information on how to use this library can be found here Models Supported models The following models I own myself, so they are very widely suppor

References

CWE-20CWE-1288https://github.com/jindw/xmldom/issues/150https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883https://lists.debian.org/debian-lts-announce/2023/01/msg00000.htmlhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024736https://nvd.nist.govhttps://github.com/mrbungle64/ecovacs-deebot.jshttps://access.redhat.com/security/cve/cve-2022-39353
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2006-4304CVE-2024-4240arbitrary CVE-2024-31601XSSCVE-2023-20198CVE-2024-4256CVE-2024-3342encryption
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook