GHSA-qghr-877h-f9jh

Source

https://github.com/advisories/GHSA-qghr-877h-f9jh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-qghr-877h-f9jh/GHSA-qghr-877h-f9jh.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-qghr-877h-f9jh

Aliases

CVE-2023-0835

Published

2023-04-05T00:30:38Z

Modified

2025-02-13T18:51:56Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

markdown-pdf vulnerable to local file read via server side cross-site scripting (XSS)

Details

markdown-pdf version 11.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the Markdown content entered by the user.

Database specific

{
    "nvd_published_at": "2023-04-04T23:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-05T17:55:20Z"
}

References

Affected packages

npm / markdown-pdf

Package

Name: markdown-pdf; View open source insights on deps.dev
Purl: pkg:npm/markdown-pdf

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

11.0.0