Description

markdown-pdf version 11.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the Markdown content entered by the user.

Remediation

References

https://fluidattacks.com/advisories/relsb/

https://www.npmjs.com/package/markdown-pdf/

Related Vulnerabilities

CVE-2020-7693 Vulnerability in maven package org.webjars.npm:sockjs

CVE-2019-10787 Vulnerability in npm package im-resize

CVE-2020-8135 Vulnerability in npm package @uppy/companion

CVE-2022-23458 Vulnerability in maven package org.webjars.npm:tui-grid

CVE-2019-20444 Vulnerability in maven package io.netty:netty-codec-http

Severity

Critical

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Tags

Exploit Third Party Advisory Product