CVE-2021-23445 — datatables.js - security update

Description

This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped.

How to fix CVE-2021-23445

To remediate CVE-2021-23445, upgrade the affected package to a fixed version below.

Debian/datatables.js—upgrade to 1.10.21+dfsg-2+deb11u1 or later
—upgrade to 1.10.19+dfsg-1+deb10u1 or later
—upgrade to 1.11.3 or later

Is CVE-2021-23445 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 1.10.21+dfsg-2+deb11u1
from 0, < 1.10.19+dfsg-1+deb10u1
from 0, < 1.11.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-23445
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-23445
PATCHgithub.com/DataTables/Dist-DataTables
WEBcdn.datatables.net/1.11.3
WEB