CVE-2024-21535
- Source
- https://cve.org/CVERecord?id=CVE-2024-21535
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-21535.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-21535
- Aliases
- Downstream
- Published
- 2024-10-15T05:00:03.815Z
- Modified
- 2026-05-18T05:56:01.551981630Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P CVSS Calculator
- Summary
- [none]
- Details
-
Versions of the package markdown-to-jsx before 7.4.0 are vulnerable to Cross-site Scripting (XSS) via the src property due to improper input sanitization. An attacker can execute arbitrary code by injecting a malicious iframe element in the markdown.
- Database specific
{ "cwe_ids": [ "CWE-79" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/21xxx/CVE-2024-21535.json", "cna_assigner": "snyk" }- References
Affected packages
Git / github.com/quantizor/markdown-to-jsx
Affected ranges
- Type
- GIT
- Repo
- https://github.com/quantizor/markdown-to-jsx
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
1.*
1.0.0
1.1.0
1.2.0
2.*
2.0.0
3.*
3.0.0
3.1.0
3.1.1
4.*
4.0.0-beta
4.0.1-beta
4.0.2-beta
4.0.3
4.0.3-beta
5.*
5.0.0
5.0.2
5.1.0
5.2.0
5.3.0
5.3.1
5.3.2
5.3.3
5.4.0
5.4.1
5.4.2
6.*
6.0.2
6.0.3
6.1.0
6.1.1
6.1.2
6.1.3
6.1.4
6.10.0
6.10.1
6.10.2
6.10.3
6.11.0
6.11.1
6.11.2
6.11.4
6.2.0
6.2.1
6.2.2
6.3.0
6.3.1
6.3.2
6.4.0
6.4.1
6.5.0
6.5.1
6.5.2
6.6.0
6.6.1
6.6.2
6.6.3
6.6.4
6.6.5
6.6.6
6.6.7
6.6.8
6.6.9
6.7.1
6.7.2
6.7.4
6.8.0
6.8.1
6.8.2
6.8.3
6.8.4
6.9.0
6.9.1
6.9.2
6.9.3
6.9.4
7.*
7.0.0
7.0.1
7.1.0
7.1.1
7.1.2
7.1.3
7.1.4
7.1.5
7.1.6
v7.*
v7.1.7
v7.1.8
v7.1.9
v7.2.0
v7.2.1
v7.3.0
v7.3.1
v7.3.2