Description

Multiple cross-site scripting (XSS) vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) gfm codeblocks (language) or (2) javascript url's.

Remediation

References

http://www.openwall.com/lists/oss-security/2014/05/13/1

http://www.openwall.com/lists/oss-security/2014/05/15/2

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3743

https://nodesecurity.io/advisories/marked_multiple_content_injection_vulnerabilities

Related Vulnerabilities

CVE-2023-46497 Vulnerability in npm package @evershop/evershop

CVE-2022-33140 Vulnerability in maven package org.apache.nifi.registry:nifi-registry-framework

CVE-2022-28220 Vulnerability in maven package org.apache.james:james-server-protocols-imap4

CVE-2021-21345 Vulnerability in maven package com.thoughtworks.xstream:xstream

CVE-2019-10348 Vulnerability in maven package org.jenkins-ci.plugins:gogs-webhook

Severity

High

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Mailing List Third Party Advisory Issue Tracking Broken Link