Severity: high

    Cross-Site Scripting

    hexo-admin

    Overview

    All versions of hexo-admin are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize rendered markdown, allowing attackers to execute arbitrary JavaScript in a victim's browser if they are able to create new posts.

    Remediation

    No fix is currently available. Consider using an alternative package until a fix is made available.

    Resources

    Have content suggestions? Visit npmjs.com/support.

    Advisory timeline

    1. published

      Advisory Published
      Oct 18th, 2019
    2. reported

      Reported by Chintan
      Oct 14th, 2019