Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13am1mLTU4dmMteHFqcs4AAuAc
Content injection in marked
Versions 0.3.7 and earlier of marked When mangling is disabled via option mangle don't escape target href. This allow attacker to inject arbitrary html-event into resulting a tag.
Permalink: https://github.com/advisories/GHSA-wjmf-58vc-xqjrJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13am1mLTU4dmMteHFqcs4AAuAc
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 5 months ago Widthdrawn: over 2 years ago
Identifiers: GHSA-wjmf-58vc-xqjr
References:
- https://github.com/markedjs/marked/issues/926
- https://github.com/markedjs/marked/commit/cb72584c5d9d32ebfdbb99e35fb9b81af2b79686
- https://github.com/advisories/GHSA-wjmf-58vc-xqjr
Affected Packages
npm:marked
Versions: < 0.3.9Fixed in: 0.3.9