GHSA-vfvf-mqq8-rwqc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-vfvf-mqq8-rwqc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-vfvf-mqq8-rwqc/GHSA-vfvf-mqq8-rwqc.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-vfvf-mqq8-rwqc
- Aliases
- Published
- 2019-02-18T23:58:20Z
- Modified
- 2023-11-01T04:46:34.395363Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Sanitization bypass using HTML Entities in marked
- Details
-
Affected versions of
markedare susceptible to a cross-site scripting vulnerability in link components whensanitize:trueis configured.Proof of Concept
This flaw exists because link URIs containing HTML entities get processed in an abnormal manner. Any HTML Entities get parsed on a best-effort basis and included in the resulting link, while if that parsing fails that character is omitted.
For example:
A link URI such as
javascript֍ocument;alert(1)Renders a valid link that when clicked will execute
alert(1).Recommendation
Update to version 0.3.6 or later.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:57:38Z" }- References
Affected packages
npm / marked
Package
- Name
- marked
- View open source insights on deps.dev
- Purl
- pkg:npm/marked