Description

Multiple cross-site scripting (XSS) vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) gfm codeblocks (language) or (2) javascript url's.

Remediation

References

http://www.openwall.com/lists/oss-security/2014/05/15/2

https://nodesecurity.io/advisories/marked_multiple_content_injection_vulnerabilities

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3743

http://www.openwall.com/lists/oss-security/2014/05/13/1

Related Vulnerabilities

CVE-2021-37137 Vulnerability in maven package io.netty:netty-codec

CVE-2019-1003044 Vulnerability in maven package org.jenkins-ci.plugins:slack

CVE-2023-37954 Vulnerability in maven package com.sonyericsson.hudson.plugins.rebuild:rebuild

CVE-2020-28482 Vulnerability in npm package fastify-csrf

CVE-2019-10356 Vulnerability in maven package org.jenkins-ci.plugins:script-security

Severity

High

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Mailing List Third Party Advisory Broken Link Issue Tracking