CVE-2021-46827: 
Oxygen XML Author vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in Oxygen XML WebHelp before version 22.1 build 2021082006 and 23.x before 23.1 build 2021090310. The vulnerability was assigned CVE-2021-46827 and was disclosed on July 13, 2022. The issue affects the search terms proposals functionality in online documentation generated using Oxygen XML WebHelp (NVD, Vendor Advisory).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 6.1 (Medium). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requires no privileges (PR:N), and needs user interaction (UI:R). The scope is changed (S:C) with low impact on confidentiality (C:L) and integrity (I:L), but no impact on availability (A:N) (NVD).

If exploited, the vulnerability allows attackers to execute arbitrary JavaScript code by convincing a user to type specific text in the WebHelp output search field. This can lead to the alteration of the intended functionality of the WebHelp output (Vendor Advisory).

The vulnerability has been fixed in version 22.1 build 2021082013 and version 23.1 build 2021082307. Users are advised to update their products to a non-vulnerable version and replace previously generated WebHelp outputs with freshly generated ones using the updated version. No other workarounds are available (Vendor Advisory).