CVE-2021-23445: 
JavaScript vulnerability analysis and mitigation

CVE-2021-23445 affects the package datatables.net versions before 1.11.3. The vulnerability was discovered and disclosed on September 27, 2021, by Alessio Della Libera of the Snyk Research Team. The issue occurs when an array is passed to the HTML escape entities function, where the contents would not be properly escaped (NVD, Snyk).

The vulnerability is classified as a Cross-site Scripting (XSS) issue with a CVSS v3.1 base score of 6.1 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). The vulnerability exists in the HTML escape entities function of datatables.net, where passing an array as input would result in the contents not being properly escaped, potentially leading to XSS attacks (NVD).

When successfully exploited, this vulnerability could allow attackers to execute malicious scripts in the context of the user's browser, potentially leading to the theft of session cookies, exposure of sensitive information, and access to privileged services and functionality (Snyk).

The recommended mitigation is to upgrade datatables.net to version 1.11.3 or higher, which contains the fix for this vulnerability. The fix was implemented in the release of September 24, 2021 (DataTables, GitHub Commit).

Multiple organizations have acknowledged and responded to this vulnerability. Debian issued a security update (DLA-3529-1) to address the vulnerability in their packages (Debian). NetApp has also included this vulnerability in their security advisory for affected products (NetApp).