First published: Fri Jan 29 2021(Updated: )
A flaw was found in npm package ansi_up versions < 5.0.0 when parsing untrusted user input. An attacker could take advantage of this by introducing ANSI escape codes to inject arbitrary HTML and JavaScript in result mounting a cross-site scripting (XSS) attack.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
npm/ansi_up | <5.0.0 | 5.0.0 |
IBM Cognos Analytics | <=12.0.0-12.0.2 | |
IBM Cognos Analytics | <=11.2.0-11.2.4 FP3 | |
Ansi Up | <5.0.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-3377 is classified as a high severity vulnerability due to its potential for cross-site scripting (XSS) attacks.
To fix CVE-2021-3377, you should update the ansi_up package to version 5.0.0 or later.
CVE-2021-3377 affects npm package ansi_up versions below 5.0.0, particularly in applications using affected versions like IBM Cognos Analytics.
Yes, CVE-2021-3377 can potentially lead to data breaches by allowing attackers to inject malicious scripts into web applications.
The most effective workaround for CVE-2021-3377 is to update the ansi_up package to a secure version, as no temporary fix is provided.