Description
vmd through 1.34.0 allows 'div class="markdown-body"' XSS, as demonstrated by Electron remote code execution via require('child_process').execSync('calc.exe') on Windows and a similar attack on macOS.
Remediation
References
https://github.com/yoshuawuyts/vmd/issues/137
Related Vulnerabilities
CVE-2022-2217 Vulnerability in maven package org.webjars.npm:parse-url
CVE-2020-8125 Vulnerability in maven package org.webjars.npm:klona
CVE-2022-31159 Vulnerability in maven package com.amazonaws:aws-java-sdk-s3
CVE-2022-34662 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-api
CVE-2022-28156 Vulnerability in maven package com.surenpi.jenkins:phoenix-autotest