Multiple Content Injection Vulnerabilities
Affecting marked package, versions <=0.3.0
Report new vulnerabilities
Do your applications use this vulnerable package?
Test your applications
Overview
Marked comes with an option to sanitize user output to help protect against content injection attacks.
sanitize: true
Even if this option is set, marked is vulnerable to content injection in multiple locations if untrusted user input is allowed to be provided into marked and that output is passed to the browser.
Injection is possible in two locations
- gfm codeblocks (language)
- javascript url's
Source: Node Security Project
Remediation
Upgrade to version 0.3.1 or later
References
CVSS Score
6.5
medium severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityLow
-
IntegrityLow
-
AvailabilityNone
- Credit
- Adam Baldwin
- CVE
- CVE-2014-1850 CVE-2014-3743
- CWE
- CWE-74
- Snyk ID
- npm:marked:20140131
- Disclosed
- 30 Jan, 2014
- Published
- 30 Jan, 2014