GitHub_MCVELIST:CVE-2022-36036CVE-2022-36036 Improper Control of Generation of Code ('Code Injection') in mdx-mermaid
3.6 Low
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
0.0005 Low
EPSS
Percentile
17.8%
mdx-mermaid provides plug and play access to Mermaid in MDX. There is a potential for an arbitrary javascript injection in versions less than 1.3.0 and 2.0.0-rc1. Modify any mermaid code blocks with arbitrary code and it will execute when the component is loaded by MDXjs. This vulnerability was patched in version(s) 1.3.0 and 2.0.0-rc2. There are currently no known workarounds.
CNA Affected
[
{
"product": "mdx-mermaid",
"vendor": "sjwall",
"versions": [
{
"status": "affected",
"version": "< 1.3.0"
},
{
"status": "affected",
"version": "= 2.0.0-rc1"
}
]
}
]Related
3.6 Low
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
0.0005 Low
EPSS
Percentile
17.8%