CVE-2021-22540

XSS in Dart SDK

EPSS 0.7%CWE-79

In short

The Dart SDK before version 2.12.3 has a flaw that allows attackers to inject malicious scripts through DOM clobbering using template tags. This means untrusted content could execute unwanted code in users' browsers.

Technical detail

A validation bypass in dart:html's DOM node creation fails to properly sanitize template tags, allowing DOM clobbering-based XSS attacks. An attacker can craft malicious input containing template elements to inject arbitrary JavaScript; exploitation requires the application to process untrusted input through the vulnerable HTML sanitization logic.

Summary generated and translated by AI from the official description.

Bad validation logic in the Dart SDK versions prior to 2.12.3 allow an attacker to use an XSS attack via DOM clobbering. The validation logic in dart:html for creating DOM nodes from text did not sanitize properly when it came across template tags.

Affected products

Google LLC · Dart SDK

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/dart-lang/sdk/commit/ce5a1c2392debce967415d4c09359ff2555e3588 https://github.com/dart-lang/sdk/security/advisories/GHSA-3rfv-4jvg-9522