Cross-Site Scripting in markdown-it-katex
High severity
GitHub Reviewed
Published
Sep 4, 2020
to the GitHub Advisory Database
•
Updated Jan 9, 2023
Description
Reviewed
Aug 31, 2020
Published to the GitHub Advisory Database
Sep 4, 2020
Last updated
Jan 9, 2023
All versions of
markdown-it-katex
are vulnerable to Cross-Site Scripting (XSS). The package fails to properly escape error messages, which may allow attackers to execute arbitrary JavaScript in a victim's browser by triggering an error.Recommendation
No fix is currently available. Consider using an alternative package until a fix is made available.
References