Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBxcHAtMjM2My02NDl2
Cross-Site Scripting in buttle
All versions of buttle
are vulnerable to Cross-Site Scripting. Due to misconfiguration of its rendering engine, buttle
does not sanitize the HTML output allowing attackers to run arbitrary JavaScript when processing malicious markdown files.
Recommendation
No fix is currently available. Consider using an alternative module until a fix is made available.
Permalink: https://github.com/advisories/GHSA-pqpp-2363-649vJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBxcHAtMjM2My02NDl2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-pqpp-2363-649v
References:
- https://hackerone.com/reports/404126
- https://www.npmjs.com/advisories/810
- https://github.com/advisories/GHSA-pqpp-2363-649v
Affected Packages
npm:buttle
Dependent packages: 1Dependent repositories: 73
Downloads: 36 last month
Affected Version Ranges: >= 0
No known fixed version
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.1.0, 0.1.1, 0.2.0, 0.3.0, 0.3.1, 0.3.2