Debian Node-Marked vulnerabilities

10 known vulnerabilities affecting debian/node-marked.

Total CVEs
10
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH2MEDIUM2LOW6

Vulnerabilities

Page 1 of 1
CVE-2022-21681HIGHCVSS 7.5fixed in node-marked 4.0.12+ds+~4.0.1-1 (bookworm)2022
CVE-2022-21681 [HIGH] CVE-2022-21681: node-marked - Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular e... Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patche
debian
CVE-2022-21680HIGHCVSS 7.5fixed in node-marked 4.0.12+ds+~4.0.1-1 (bookworm)2022
CVE-2022-21680 [HIGH] CVE-2022-21680: node-marked - Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular e... Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue
debian
CVE-2021-21306LOWCVSS 5.32021
CVE-2021-21306 [MEDIUM] CVE-2021-21306: node-marked - Marked is an open-source markdown parser and compiler (npm package "marked"). In... Marked is an open-source markdown parser and compiler (npm package "marked"). In marked from version 1.1.1 and before version 2.0.0, there is a Regular expression Denial of Service vulnerability. This vulnerability can affect anyone who runs user generated code through marked. This vulnerability is fixed in version 2.0.0. Scope: local bookworm: resolved bullse
debian
CVE-2018-25110MEDIUMCVSS 6.9fixed in node-marked 0.5.1+dfsg-1 (bookworm)2018
CVE-2018-25110 [MEDIUM] CVE-2018-25110: node-marked - Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of S... Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially crafted markdown input, such as deeply nested or repetitively structured brackets o
debian
CVE-2017-16114LOWCVSS 7.5fixed in node-marked 0.3.9+dfsg-1 (bookworm)2017
CVE-2017-16114 [HIGH] CVE-2017-16114: node-marked - The marked module is vulnerable to a regular expression denial of service. Based... The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds. Scope: local bookworm: resolved (fixed in 0.3.9+dfsg-1) bullseye: resolved (fixed in 0.3.9+dfsg-1) forky: resolved (fixed in 0.3.9+dfsg-1) sid: resolved (fixed in 0.3.9+dfsg-1) trixie: re
debian
CVE-2017-1000427LOWCVSS 6.1fixed in node-marked 0.3.9+dfsg-1 (bookworm)2017
CVE-2017-1000427 [MEDIUM] CVE-2017-1000427: node-marked - marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI... marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser. Scope: local bookworm: resolved (fixed in 0.3.9+dfsg-1) bullseye: resolved (fixed in 0.3.9+dfsg-1) forky: resolved (fixed in 0.3.9+dfsg-1) sid: resolved (fixed in 0.3.9+dfsg-1) trixie: resolved (fixed in 0.3.9+dfsg-1)
debian
CVE-2016-10531LOWCVSS 6.1fixed in node-marked 0.3.6+dfsg-1 (bookworm)2016
CVE-2016-10531 [MEDIUM] CVE-2016-10531: node-marked - marked is an application that is meant to parse and compile markdown. Due to the... marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest be
debian
CVE-2015-8854LOWCVSS 7.5fixed in node-marked 0.3.6+dfsg-1 (bookworm)2015
CVE-2015-8854 [HIGH] CVE-2015-8854: node-marked - The marked package before 0.3.4 for Node.js allows attackers to cause a denial o... The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial of service (ReDoS)." Scope: local bookworm: resolved (fixed in 0.3.6+dfsg-1) bullseye: resolved (fixed in 0.3.6+dfsg-1) forky: r
debian
CVE-2015-1370LOWCVSS 4.3fixed in node-marked 0.3.6+dfsg-1 (bookworm)2015
CVE-2015-1370 [MEDIUM] CVE-2015-1370: node-marked - Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allow... Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks via a vbscript tag in a link. Scope: local bookworm: resolved (fixed in 0.3.6+dfsg-1) bullseye: resolved (fixed in 0.3.6+dfsg-1) forky: resolved (fixed in 0.3.6+dfsg-1) sid: resolved (fixed in 0.3.6+dfsg-1) trixie: reso
debian
CVE-2014-3743MEDIUMCVSS 6.1fixed in node-marked 0.3.1+dfsg-1 (bookworm)2014
CVE-2014-3743 [MEDIUM] CVE-2014-3743: node-marked - Multiple cross-site scripting (XSS) vulnerabilities in the Marked module before ... Multiple cross-site scripting (XSS) vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) gfm codeblocks (language) or (2) javascript url's. Scope: local bookworm: resolved (fixed in 0.3.1+dfsg-1) bullseye: resolved (fixed in 0.3.1+dfsg-1) forky: resolved (fixed in 0
debian