CVE-2015-1370 — Cross-site Scripting in Node-marked

CWE-79 — Cross-site Scripting6 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.3%

top 42.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Node-marked Marked Project Marked

Timeline

PublishedJan 27

Latest updateOct 24

Description

Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks via a vbscript tag in a link.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/node-marked< node-marked 0.3.6+dfsg-1 (bookworm)

▶npmmarked_project/marked< 0.3.3

▶NVDmarked_project/marked0.3.2

🔴Vulnerability Details

GHSA

VBScript Content Injection in marked↗2017-10-24

▶

OSV

VBScript Content Injection in marked↗2017-10-24

▶

OSV

CVE-2015-1370: Incomplete blacklist vulnerability in marked 0↗2015-01-27

▶

📋Vendor Advisories

Debian

CVE-2015-1370: node-marked - Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allow...↗2015

▶

💬Community

Bugzilla

CVE-2015-1370 marked: VBScript content injection↗2015-01-23

▶