Skip to content

VBScript Content Injection in marked

Moderate severity GitHub Reviewed Published Oct 24, 2017 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm marked (npm)

Affected versions

< 0.3.3

Patched versions

0.3.3

Description

Versions 0.3.2 and earlier of marked are affected by a cross-site scripting vulnerability even when sanitize:true is set.

Proof of Concept ( IE10 Compatibility Mode Only )

[xss link](vbscript:alert(1&#41;)

will get a link

<a href="vbscript:alert(1)">xss link</a>

Recommendation

Update to version 0.3.3 or later.

References

Published to the GitHub Advisory Database Oct 24, 2017
Reviewed Jun 16, 2020
Last updated Jan 9, 2023

Severity

Moderate

EPSS score

0.373%
(73rd percentile)

Weaknesses

CVE ID

CVE-2015-1370

GHSA ID

GHSA-cfjh-p3g4-3q2f

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.