Multiple Content Injection Vulnerabilities in marked

Do your applications use this vulnerable package? Test your applications

Overview

Marked comes with an option to sanitize user output to help protect against content injection attacks.

sanitize: true

Even if this option is set, marked is vulnerable to content injection in multiple locations if untrusted user input is allowed to be provided into marked and that output is passed to the browser.

Injection is possible in two locations

gfm codeblocks (language)
javascript url's

Source: Node Security Project

Remediation

Upgrade to version 0.3.1 or later

References

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

Low
Integrity

Low
Availability

None

Credit: Adam Baldwin
CVE: CVE-2014-1850 CVE-2014-3743
CWE: CWE-74
Snyk ID: npm:marked:20140131
Disclosed: 30 Jan, 2014
Published: 30 Jan, 2014

Multiple Content Injection Vulnerabilities
Affecting marked package, versions <=0.3.0

Overview

Remediation

References

CVSS Score

Multiple Content Injection Vulnerabilities Affecting marked package, versions <=0.3.0

Overview

Remediation

References

Multiple Content Injection Vulnerabilities
Affecting marked package, versions <=0.3.0