CVE-2020-8923: XSS in Dart
First published: Thu Mar 26 2020(Updated: )
An improper HTML sanitization in Dart versions up to and including 2.7.1 and dev versions 2.8.0-dev.16.0, allows an attacker leveraging DOM Clobbering techniques to skip the sanitization and inject custom html/javascript (XSS). Mitigation: update your Dart SDK to 2.7.2, and 2.8.0-dev.17.0 for the dev version. If you cannot update, we recommend you review the way you use the affected APIs, and pay special attention to cases where user-provided data is used to populate DOM nodes. Consider using Element.innerText or Node.text to populate DOM elements.
Credit: cve-coordination@google.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Dart Dart Software Development Kit | <2.7.2 | |
| Dart Dart Software Development Kit | =2.8.0-dev0.0 | |
| Dart Dart Software Development Kit | =2.8.0-dev1.0 | |
| Dart Dart Software Development Kit | =2.8.0-dev10.0 | |
| Dart Dart Software Development Kit | =2.8.0-dev11.0 | |
| Dart Dart Software Development Kit | =2.8.0-dev12.0 | |
| Dart Dart Software Development Kit | =2.8.0-dev13.0 | |
| Dart Dart Software Development Kit | =2.8.0-dev14.0 | |
| Dart Dart Software Development Kit | =2.8.0-dev15.0 | |
| Dart Dart Software Development Kit | =2.8.0-dev16.0 | |
| Dart Dart Software Development Kit | =2.8.0-dev2.0 | |
| Dart Dart Software Development Kit | =2.8.0-dev3.0 | |
| Dart Dart Software Development Kit | =2.8.0-dev4.0 | |
| Dart Dart Software Development Kit | =2.8.0-dev5.0 | |
| Dart Dart Software Development Kit | =2.8.0-dev6.0 | |
| Dart Dart Software Development Kit | =2.8.0-dev7.0 | |
| Dart Dart Software Development Kit | =2.8.0-dev8.0 | |
| Dart Dart Software Development Kit | =2.8.0-dev9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/title
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/event
- agent/tags
- agent/source
- vendor/dart
- canonical/dart dart software development kit
- version/dart dart software development kit/2.8.0-dev0.0
- version/dart dart software development kit/2.8.0-dev1.0
- version/dart dart software development kit/2.8.0-dev10.0
- version/dart dart software development kit/2.8.0-dev11.0
- version/dart dart software development kit/2.8.0-dev12.0
- version/dart dart software development kit/2.8.0-dev13.0
- version/dart dart software development kit/2.8.0-dev14.0
- version/dart dart software development kit/2.8.0-dev15.0
- version/dart dart software development kit/2.8.0-dev16.0
- version/dart dart software development kit/2.8.0-dev2.0
- version/dart dart software development kit/2.8.0-dev3.0
- version/dart dart software development kit/2.8.0-dev4.0
- version/dart dart software development kit/2.8.0-dev5.0
- version/dart dart software development kit/2.8.0-dev6.0
- version/dart dart software development kit/2.8.0-dev7.0
- version/dart dart software development kit/2.8.0-dev8.0
- version/dart dart software development kit/2.8.0-dev9.0