UBUNTU-CVE-2016-10531

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2016-10531

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2016/UBUNTU-CVE-2016-10531.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2016-10531

Upstream

CVE-2016-10531

Published

2018-05-31T20:29:00Z

Modified

2025-10-24T04:46:00Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (sanitize: true) to inject a javascript: URL. This flaw exists because &#xNNanything; gets parsed to what it could and leaves the rest behind, resulting in just anything; being left.

References

Affected packages

Ubuntu:16.04:LTS / node-marked

Package

Name: node-marked
Purl: pkg:deb/ubuntu/node-marked@0.3.2+dfsg-1?arch=source&distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.3.2+dfsg-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libjs-marked",
            "binary_version": "0.3.2+dfsg-1"
        },
        {
            "binary_name": "node-marked",
            "binary_version": "0.3.2+dfsg-1"
        }
    ]
}