High severity8.6NVD Advisory· Published Feb 19, 2021· Updated Jun 17, 2026
CVE-2021-23342
CVE-2021-23342
Description
This affects the package docsify before 4.12.0. It is possible to bypass the remediation done by CVE-2020-7680 and execute malicious JavaScript through the following methods 1) When parsing HTML from remote URLs, the HTML code on the main page is sanitized, but this sanitization is not taking place in the sidebar. 2) The isURL external check can be bypassed by inserting more “////” characters
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
docsifynpm | < 4.12.0 | 4.12.0 |
Affected products
2- docsify/docsifydescription
Patches
Vulnerability mechanics
References
8- github.com/docsifyjs/docsify/commit/ff2a66f12752471277fe81a64ad6c4b2c08111fenvdPatchThird Party AdvisoryWEB
- packetstormsecurity.com/files/161495/docsify-4.11.6-Cross-Site-Scripting.htmlnvdExploitThird Party AdvisoryWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1076593nvdExploitThird Party AdvisoryWEB
- snyk.io/vuln/SNYK-JS-DOCSIFY-1066017nvdExploitThird Party AdvisoryWEB
- seclists.org/fulldisclosure/2021/Feb/71nvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-2mm9-c2fx-c7m4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23342ghsaADVISORY
- www.npmjs.com/package/docsifyghsaWEB
News mentions
0No linked articles in our index yet.