Severity: high

    Cross-Site Scripting

    markdown-to-jsx

    Overview

    Versions of markdown-to-jsx prior to 6.11.4 are vulnerable to Cross-Site Scripting. Due to insufficient input sanitization the package may render output containing malicious JavaScript. This vulnerability can be exploited through input of links containing data or VBScript URIs and a base64-encoded payload.

    Remediation

    Upgrade to version 6.11.4 or later.

    Resources

    Have content suggestions? Visit npmjs.com/support.

    Advisory timeline

    1. published

      Advisory Published
      May 20th, 2020
    2. reported

      Reported by Bob "Wombat" Hogg
      Oct 17th, 2019