Lucene search

Veracode Vulnerability DatabaseVERACODE:46060

HistoryMar 28, 2024 - 9:58 a.m.

Cross Site Scripting (XSS)

2024-03-2809:58:35

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

katex

input validation

xss

attacks

javascript

html

6.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

6.2 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

katex is vulnerable to Cross-Site Scripting (XSS) attacks. The vulnerability is due to insufficient input validation when processing untrusted mathematical expressions containing \includegraphics. It allows attackers to inject and execute arbitrary JavaScript code or generate invalid HTML, leading to Cross-Site Scripting (XSS) vulnerabilities.

CPENameOperatorVersion
katexle0.16.9
katexle0.16.9

CPE	Name	Operator	Version
	katex	le	0.16.9
	katex	le	0.16.9

References

github.com/advisories/GHSA-f98w-7cxr-ff2h

github.com/KaTeX/KaTeX/commit/c5897fcd1f73da9612a53e6b5544f1d776e17770

github.com/KaTeX/KaTeX/security/advisories/GHSA-f98w-7cxr-ff2h