Local File Inclusion (LFI)

zmarkdown is vulnerable to Local File Inclusion LFI. The vulnerability is due to improper restrictions of images paths within LaTeX documents. This allowed an attacker to specify a local file path e.g., /tmp/img.png in the image markdown syntax which leads to Local File Inclusion LFI, resulting i...

Server Side Request Forgery (SSRF)

zmarkdown is vulnerable to Server Side Request Forgery SSRF. The vulnerability is due to improper filtering of URLs to determine if the URL is within a private network, which attacker to download private images on the local network...

Zmarkdown Server-Side Request Forgery (SSRF) in remark-download-images

Impact A major blind SSRF has been found in remark-images-download, which allowed for requests to be made to neighboring servers on local IP ranges. The issue came from a loose filtering of URLs inside the module. Imagine a server running on a private network 192.168.1.0/24. A private service...

markdown-math-editor (>=1.1.0 <=1.1.3), mse-md2html (>=1.0.0 <=1.0.1) +1 more potentially affected by unknown CVE via remark-images-download (>=0.0.8 <=3.0.5)

remark-images-download NPM version =0.0.8, =1.1.0, =1.0.0, =2.1.8, =12.1.0 Source cves: unknown CVE Source advisory: OSV:GHSA-MF74-QQ7W-6J7V...

GHSA-MF74-QQ7W-6J7V Zmarkdown Server-Side Request Forgery (SSRF) in remark-download-images

Impact A major blind SSRF has been found in remark-images-download, which allowed for requests to be made to neighboring servers on local IP ranges. The issue came from a loose filtering of URLs inside the module. Imagine a server running on a private network 192.168.1.0/24. A private service...

GHSA-MQ6V-W35G-3C97 Local File Inclusion vulnerability in zmarkdown

Impact A minor Local File Inclusion vulnerability has been found in zmarkdown, which allowed for images with a known path on the host machine to be included inside a LaTeX document. To prevent it, a new option has been created that allow to replace invalid paths with a default image instead of...

Local File Inclusion vulnerability in zmarkdown

Impact A minor Local File Inclusion vulnerability has been found in zmarkdown, which allowed for images with a known path on the host machine to be included inside a LaTeX document. To prevent it, a new option has been created that allow to replace invalid paths with a default image instead of...

PT-2024-40379 · Zmarkdown · Zmarkdown

Name of the Vulnerable Software and Affected Versions: zmarkdown versions prior to 10.1.3 Description: A Local File Inclusion issue was discovered in zmarkdown, allowing images with known paths on the host machine to be included in a LaTeX document. This could be exploited by including an image...

GHSA-2C83-WFV3-Q25F Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ZMarkdown

Impact A Remote Command Execution vulnerability was found in the rebber module, which allowed execution of arbitrary commands. The reported problem came from CodeBlocks, which could be escaped to insert malicious LaTeX. Anyone using rebber without sanitation of code content or a custom macro is...

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ZMarkdown

Impact A Remote Command Execution vulnerability was found in the rebber module, which allowed execution of arbitrary commands. The reported problem came from CodeBlocks, which could be escaped to insert malicious LaTeX. Anyone using rebber without sanitation of code content or a custom macro is...

mdtex (>=1.0.0 <=1.2.3), zmarkdown (>=0.0.12 <=7.0.2) potentially affected by unknown CVE via rebber (>=0.0.10 <=4.0.2)

rebber NPM version =0.0.10, =1.0.0, =0.0.12, =7.0.2 Source cves: unknown CVE Source advisory: OSV:GHSA-2C83-WFV3-Q25F...