Описание
Remote Code Execution in markdown-pdf
Versions of markdown-pdf prior to 9.0.0 are vulnerable to Remote Code Execution. The package fails to sanitize HTML code in markdown files. If markdown files with malicious HTML are converted to PDF, the resulting PDF file will execute any JavaScript code in the original markdown file. This may allow attackers to execute Remote Code.
Recommendation
Upgrade to version 9.0.0 or later.
Пакеты
Наименование
markdown-pdf
npm
Затронутые версииВерсия исправления
< 9.0.0
9.0.0
Связанные уязвимости
CVSS3: 5.5
nvd
больше 7 лет назад
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.