Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhyNTMtbTkzNy1qcjlj
Cross-Site Scripting in ngx-md
Versions of ngx-md prior to 6.0.3 are vulnerable to Cross-Site Scripting. Links are not properly restricted to http/https and can contain JavaScript which may lead to arbitrary code execution. Markdown input such as [Click Me](javascript:alert('Injected!'%29) is rendered as a Click Me link that executes JavaScript.
Recommendation
Upgrade to version 6.0.3 or later.
Permalink: https://github.com/advisories/GHSA-xr53-m937-jr9cJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhyNTMtbTkzNy1qcjlj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-xr53-m937-jr9c
References:
- https://github.com/dimpu/ngx-md/issues/129
- https://www.npmjs.com/advisories/1485
- https://github.com/advisories/GHSA-xr53-m937-jr9c
Blast Radius: 0.0
Affected Packages
npm:ngx-md
Dependent packages: 22Dependent repositories: 140
Downloads: 6,455 last month
Affected Version Ranges: < 6.0.3
Fixed in: 6.0.3
All affected versions: 0.0.1, 2.0.0, 3.0.0, 3.1.0, 3.1.1, 4.0.0, 4.0.1, 6.0.0, 6.0.1, 6.0.2
All unaffected versions: 6.0.3, 6.0.4, 6.0.5, 6.0.7, 6.0.8, 6.0.9, 7.0.0, 7.0.1, 7.0.2, 7.1.1, 7.1.3, 8.0.0, 8.1.6, 12.0.0, 12.0.4, 12.0.5, 14.0.0, 14.0.3, 14.0.8, 14.0.9