Lucene search

GoogleOSV:GHSA-QJ3F-9GMQ-FWV5

HistoryApr 09, 2019 - 7:47 p.m.

Cross-Site Scripting in simple-markdown

2019-04-0919:47:29

Google

osv.dev

0.001 Low

EPSS

Percentile

51.1%

JSON

Versions of simple-markdown prior to 0.4.4 are vulnerable to Cross-Site Scripting. Due to insufficient input sanitization the package may render output containing malicious JavaScript. This vulnerability can be exploited through input of links containing data or VBScript URIs and a base64-encoded payload.

Recommendation

Upgrade to version 0.4.4 or later.

CPENameOperatorVersion
simple-markdownlt0.4.4

CPE	Name	Operator	Version
	simple-markdown	lt	0.4.4

References

github.com/advisories/GHSA-qj3f-9gmq-fwv5

github.com/Khan/simple-markdown

github.com/Khan/simple-markdown/pull/63

lists.fedoraproject.org/archives/list/[email protected]/message/JFLP3KJVSV5VWMNEBRXLGRVYFXOV5KOG

lists.fedoraproject.org/archives/list/[email protected]/message/KZG2I7VH7WLSEUQ77KYP5CRAVFT2RK2U

lists.fedoraproject.org/archives/list/[email protected]/message/O5EFW655O3BXZYAPB65XEREXB2DSNSOT

nvd.nist.gov/vuln/detail/CVE-2019-9844

www.npmjs.com/advisories/815

www.npmjs.com/package/simple-markdown/v/0.4.4

0.001 Low

EPSS

Percentile

51.1%

JSON

Related for OSV:GHSA-QJ3F-9GMQ-FWV5