npm

Severity: moderate

VBScript Content Injection

marked

Overview

Versions 0.3.2 and earlier of marked are affected by a cross-site scripting vulnerability even when sanitize:true is set.

Proof of Concept ( IE10 Compatibility Mode Only )

[xss link](vbscript:alert(1))

will get a link

<a href="vbscript:alert(1)">xss link</a>

Remediation

Update to version 0.3.3 or later.

Resources

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. reported

    Initial report by Xiao Long
    Oct 17th, 2015
  2. published

    Advisory published
    Jan 22nd, 2015