Marked@* Security Vulnerabilities and Issues — Marked@* CVE List

Lucene search

Marked ProjectMarked*

9 matches found

CVE•added 2022/01/14 5:15 p.m.•155 views

CVE-2022-21680

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression block.def may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does...

7.5CVSS7.2AI score0.0049EPSS

CVE•added 2022/01/14 5:15 p.m.•131 views

CVE-2022-21681

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a...

7.5CVSS7.2AI score0.00483EPSS

CVE•added 2020/01/06 8:15 p.m.•90 views

CVE-2014-3743

Multiple cross-site scripting (XSS) vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) gfm codeblocks (language) or (2) javascript url's.

6.1CVSS5.9AI score0.00584EPSS

CVE•added 2021/02/08 10:15 p.m.•80 views

CVE-2021-21306

Marked is an open-source markdown parser and compiler (npm package "marked"). In marked from version 1.1.1 and before version 2.0.0, there is a Regular expression Denial of Service vulnerability. This vulnerability can affect anyone who runs user generated code through marked. This vulnerability is...

7.5CVSS6.2AI score0.00603EPSS

CVE•added 2018/05/31 8:29 p.m.•72 views

CVE-2016-10531

marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (sanitize: true) to inject a javascript: URL. This flaw exists because &#xNNanyt...

6.1CVSS6.2AI score0.00289EPSS

CVE•added 2018/01/02 11:29 p.m.•67 views

CVE-2017-1000427

marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser.

6.1CVSS5.9AI score0.00388EPSS

CVE•added 2017/01/23 9:59 p.m.•63 views

CVE-2015-8854

The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial of service (ReDoS)."

7.8CVSS7.1AI score0.0102EPSS

CVE•added 2018/06/07 2:29 a.m.•56 views

CVE-2017-16114

The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.

7.5CVSS7.3AI score0.00274EPSS

CVE•added 2015/01/27 8:4 p.m.•53 views

CVE-2015-1370

Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks via a vbscript tag in a link.

4.3CVSS5.8AI score0.00349EPSS