{"id":"CVE-2021-23899","details":"OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and CDATA section delimiters for crafted input. This allows an attacker to inject arbitrary HTML or XML into embedding documents.","aliases":["GHSA-mm8j-9x84-m9cv"],"modified":"2026-05-18T17:51:46.066476Z","published":"2021-01-13T16:15:14.413Z","references":[{"type":"ADVISORY","url":"https://groups.google.com/g/json-sanitizer-support/c/dAW1AeNMoA0"},{"type":"FIX","url":"https://github.com/OWASP/json-sanitizer/commit/a37f594f7378a1c76b3283e0dab9e1ab1dc0247e"},{"type":"FIX","url":"https://github.com/OWASP/json-sanitizer/compare/v1.2.1...v1.2.2"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/owasp/json-sanitizer","events":[{"introduced":"0"},{"fixed":"c999c7f93096f927273c87bf439d7a992e3a39dc"},{"fixed":"a37f594f7378a1c76b3283e0dab9e1ab1dc0247e"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"1.2.2"}],"source":["CPE_FIELD","REFERENCES"],"cpe":"cpe:2.3:a:owasp:json-sanitizer:*:*:*:*:*:*:*:*"}}],"versions":["v1.2.1","json-sanitizer-1.1","json-sanitizer-1.0"],"database_specific":{"vanir_signatures_modified":"2026-05-18T17:51:46Z","vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["323372626607349166269134064051460937550","281540624948202154016147908277489889112","10422161611163388661781270418470123039","293625421098164197743335124240358941919","50888934875141958073919872945025375517","156345042501500560997947285871748547822","190614891019192016033089170304439273891","206108665404963412418727983737632459797","311264598422190495706136753924968620857"]},"deprecated":false,"target":{"file":"src/test/java/com/google/json/JsonSanitizerTest.java"},"id":"CVE-2021-23899-64d45075","source":"https://github.com/owasp/json-sanitizer/commit/a37f594f7378a1c76b3283e0dab9e1ab1dc0247e","signature_type":"Line","signature_version":"v1"},{"digest":{"length":857,"function_hash":"105576089061181633384202976764767995078"},"deprecated":false,"target":{"file":"src/test/java/com/google/json/FuzzyTest.java","function":"testSanitizerLikesFuzzyWuzzyInputs"},"id":"CVE-2021-23899-6ec1aa4c","source":"https://github.com/owasp/json-sanitizer/commit/a37f594f7378a1c76b3283e0dab9e1ab1dc0247e","signature_type":"Function","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["186860049387706252174710437488261035074","118898535682368993706272517936523330768","77754662574044532338395744154173700562","145565775578802715228502711527023464545","282013172137993518429794730838349675663","31819421180844700569333099366287102771","12372445699804039305383296177418473916"]},"deprecated":false,"target":{"file":"src/test/java/com/google/json/FuzzyTest.java"},"id":"CVE-2021-23899-f59aed4b","source":"https://github.com/owasp/json-sanitizer/commit/a37f594f7378a1c76b3283e0dab9e1ab1dc0247e","signature_type":"Line","signature_version":"v1"}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-23899.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}