Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1nNjktNmozbS1qdmd3
HTML Injection in marky-markdown
All versions of marky-markdown are vulnerable to HTML Injection. The package fails to sanitize style attributes in img tags of the markdown input. This may allow attackers to affect the size of images in the rendered HTML.
Recommendation
This package is no longer maintained. Please upgrade to @npmcorp/marky-markdown
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1nNjktNmozbS1qdmd3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 4 years ago
Updated: almost 2 years ago
CVSS Score: 7.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Identifiers: GHSA-mg69-6j3m-jvgw
References:
- https://www.npmjs.com/advisories/1470
- https://github.com/npm/marky-markdown
- https://snyk.io/vuln/SNYK-JS-MARKYMARKDOWN-548871
- https://github.com/advisories/GHSA-mg69-6j3m-jvgw
Blast Radius: 16.9
Affected Packages
npm:marky-markdown
Dependent packages: 37Dependent repositories: 204
Downloads: 635 last month
Affected Version Ranges: >= 0.0.0
No known fixed version
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 3.0.0, 3.0.1, 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.0, 4.3.0, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.2.0, 5.3.0, 5.4.0, 5.5.0, 5.5.1, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 7.0.0, 7.0.1, 7.0.2, 8.0.0, 8.1.0, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 10.0.0, 10.0.1, 10.1.0, 10.1.1, 10.1.2, 10.1.3, 10.1.4, 11.0.0, 11.1.0, 11.2.0, 11.3.0, 11.3.1, 11.3.2, 12.0.0