Multiple Content Injection Vulnerabilities

Affecting marked package, versions <=0.3.0

Do your applications use this vulnerable package? Test your applications

Overview

Marked comes with an option to sanitize user output to help protect against content injection attacks.

sanitize: true

Even if this option is set, marked is vulnerable to content injection in multiple locations if untrusted user input is allowed to be provided into marked and that output is passed to the browser.

Injection is possible in two locations

  • gfm codeblocks (language)
  • javascript url's

Source: Node Security Project

Remediation

Upgrade to version 0.3.1 or later

References

CVSS Score

6.5
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Credit
Adam Baldwin
CVE
CVE-2014-1850 CVE-2014-3743
CWE
CWE-74
Snyk ID
npm:marked:20140131
Disclosed
30 Jan, 2014
Published
30 Jan, 2014