Cross-Site Scripting in ngx-md

2020-09-03T15:49:14
ID GHSA-XR53-M937-JR9C
Type github
Reporter GitHub Advisory Database
Modified 2020-09-03T15:49:14

Description

Versions of ngx-md prior to 6.0.3 are vulnerable to Cross-Site Scripting. Links are not properly restricted to http/https and can contain JavaScript which may lead to arbitrary code execution. Markdown input such as [Click Me](javascript:alert('Injected!'%29) is rendered as a Click Me link that executes JavaScript.

Recommendation

Upgrade to version 6.0.3 or later.