Lucene search

GoogleOSV:GHSA-4R9G-W48Q-8JWM

HistoryOct 26, 2022 - 12:00 p.m.

HyperDown vulnerable to Cross-site Scripting

2022-10-2612:00:29

Google

osv.dev

hyperdown

markdown parser

chinese website

segmentfault

cross-site scripting

validation

href attribute

publication

patched versions

workarounds

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

34.0%

JSON

HyperDown is a markdown parser written for the Chinese website SegmentFault. Improper validation of the href attribute allows for Cross-site Scripting. At publication there are no patched versions, and no known workarounds.

References

github.com/SegmentFault/HyperDown

nvd.nist.gov/vuln/detail/CVE-2022-25849

security.snyk.io/vuln/SNYK-PHP-JOYQIHYPERDOWN-2953544

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

34.0%

JSON

Related for OSV:GHSA-4R9G-W48Q-8JWM