CVE-2016-10531 — Cross-site Scripting in Node-marked

CWE-79 — Cross-site Scripting5 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.3%

top 47.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Node-marked Marked Project Marked Hackerone Marked Node Module

Timeline

PublishedMay 31

Latest updateFeb 18

Description

marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶debiandebian/node-marked< node-marked 0.3.6+dfsg-1 (bookworm)

▶npmmarked_project/marked< 0.3.6

▶NVDmarked_project/marked0.3.5

▶CVEListV5hackerone/marked_node_module<=0.3.5

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Sanitization bypass using HTML Entities in marked↗2019-02-18

▶

GHSA

Sanitization bypass using HTML Entities in marked↗2019-02-18

▶

OSV

CVE-2016-10531: marked is an application that is meant to parse and compile markdown↗2018-05-31

▶

📋Vendor Advisories

Debian

CVE-2016-10531: node-marked - marked is an application that is meant to parse and compile markdown. Due to the...↗2016

▶