5.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
7.1 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
25.9%
KaTeX is a JavaScript library for TeX math rendering on the web. Code that
uses KaTeX’s trust
option, specifically that provides a function to
blacklist certain URL protocols, can be fooled by URLs in malicious inputs
that use uppercase characters in the protocol. In particular, this can
allow for malicious input to generate javascript:
links in the output,
even if the trust
function tries to forbid this protocol via trust: (context) => context.protocol !== 'javascript'
. Upgrade to KaTeX v0.16.10
to remove this vulnerability.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | node-katex | < any | UNKNOWN |
ubuntu | 20.04 | noarch | node-katex | < any | UNKNOWN |
ubuntu | 22.04 | noarch | node-katex | < any | UNKNOWN |
ubuntu | 23.10 | noarch | node-katex | < any | UNKNOWN |
ubuntu | 24.04 | noarch | node-katex | < any | UNKNOWN |
github.com/KaTeX/KaTeX/commit/fc5af64183a3ceb9be9d1c23a275999a728593de
github.com/KaTeX/KaTeX/commit/fc5af64183a3ceb9be9d1c23a275999a728593de (v0.16.10)
github.com/KaTeX/KaTeX/security/advisories/GHSA-3wc5-fcw2-2329
launchpad.net/bugs/cve/CVE-2024-28246
nvd.nist.gov/vuln/detail/CVE-2024-28246
security-tracker.debian.org/tracker/CVE-2024-28246
www.cve.org/CVERecord?id=CVE-2024-28246
5.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
7.1 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
25.9%