GHSA-xr53-m937-jr9c

Опубликовано: 03 сент. 2020

Источник: github

Github: Прошло ревью

Описание

Cross-Site Scripting in ngx-md

Versions of ngx-md prior to 6.0.3 are vulnerable to Cross-Site Scripting. Links are not properly restricted to http/https and can contain JavaScript which may lead to arbitrary code execution. Markdown input such as [Click Me](javascript:alert('Injected!'%29) is rendered as a Click Me link that executes JavaScript.

Recommendation

Upgrade to version 6.0.3 or later.

Ссылки

https://github.com/dimpu/ngx-md/issues/129
https://www.npmjs.com/advisories/1485

Пакеты

Наименование

ngx-md

npm

Затронутые версииВерсия исправления

< 6.0.3

6.0.3

Дефекты

CWE-79

Дефекты

CWE-79