GHSA-f246-xrrj-g8j6

Опубликовано: 10 фев. 2022

Источник: github

Github: Прошло ревью

CVSS3: 6.1

Описание

Cross-site Scripting in markdown-it-highlightjs

This affects the package markdown-it-highlightjs before 3.3.1. It is possible insert malicious JavaScript as a value of lang in the markdown-it-highlightjs Inline code highlighting feature.

const markdownItHighlightjs = require("markdown-it-highlightjs"); const md = require('markdown-it'); const reuslt_xss = md().use(markdownItHighlightjs, { inline: true }).render('console.log(42){.">js}'); console.log(reuslt_xss);

Ссылки

Пакеты

Наименование

markdown-it-highlightjs

npm

Затронутые версииВерсия исправления

< 3.3.1

3.3.1

EPSS

Процентиль: 58%

0.00367

Низкий

6.1 Medium

CVSS3

CVE ID

CVE-2020-7773

Дефекты

CWE-79

Связанные уязвимости

CVE-2020-7773

CVSS3: 6.5

nvd

около 5 лет назад

This affects the package markdown-it-highlightjs before 3.3.1. It is possible insert malicious JavaScript as a value of lang in the markdown-it-highlightjs Inline code highlighting feature. const markdownItHighlightjs = require("markdown-it-highlightjs"); const md = require('markdown-it'); const reuslt_xss = md() .use(markdownItHighlightjs, { inline: true }) .render('console.log(42){.">js}'); console.log(reuslt_xss);

EPSS

Процентиль: 58%

0.00367

Низкий

6.1 Medium

CVSS3

CVE ID

CVE-2020-7773

Дефекты

CWE-79