Multiple Content Injection Vulnerabilities in marked · CVE-2014-3743 · GitHub Advisory Database · GitHub

Multiple Content Injection Vulnerabilities in marked

Moderate severity GitHub Reviewed Published Aug 31, 2020 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

marked (npm)

Affected versions

<= 0.3.0

Patched versions

0.3.1

Description

Versions 0.3.0 and earlier of marked are affected by two cross-site scripting vulnerabilities, even when sanitize: true is set.

The attack vectors for this vulnerability are GFM Codeblocks and JavaScript URLs.

Recommendation

Upgrade to version 0.3.1 or later.

References

Reviewed Aug 31, 2020

Published to the GitHub Advisory Database Aug 31, 2020

Last updated Jan 9, 2023

Severity

Moderate

6.1

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N