CVE-2020-23849: Cross-site Scripting in jsoneditor
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.49477%
CWE
Published
10/12/2021
Updated
2/1/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
jsoneditor | npm | < 9.0.2 | 9.0.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability manifests in tree mode rendering where user-controlled JSON content is inserted into DOM without proper sanitization. While exact patch details are unavailable, typical XSS patterns in tree viewers involve node rendering functions:
- renderNode likely handles content display without escaping
- _createTreeNode probably builds DOM elements directly from JSON values Confidence is medium due to lack of direct code references, but aligns with standard XSS patterns in JSON tree viewers and the described attack vector