CVE-2022-36036

Опубликовано: 29 авг. 2022

Источник: nvd

CVSS3: 3.6

CVSS3: 7.8

EPSS Низкий

Описание

mdx-mermaid provides plug and play access to Mermaid in MDX. There is a potential for an arbitrary javascript injection in versions less than 1.3.0 and 2.0.0-rc1. Modify any mermaid code blocks with arbitrary code and it will execute when the component is loaded by MDXjs. This vulnerability was patched in version(s) 1.3.0 and 2.0.0-rc2. There are currently no known workarounds.

Ссылки

https://github.com/sjwall/mdx-mermaid/commit/f2b99386660fd13316823529c3f1314ebbcdfd2a
Patch
Third Party Advisory
https://github.com/sjwall/mdx-mermaid/security/advisories/GHSA-rvgm-35jw-q628
Exploit
Third Party Advisory
https://github.com/sjwall/mdx-mermaid/commit/f2b99386660fd13316823529c3f1314ebbcdfd2a
Patch
Third Party Advisory
https://github.com/sjwall/mdx-mermaid/security/advisories/GHSA-rvgm-35jw-q628
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:mdx-mermaid_project:mdx-mermaid:*:*:*:*:*:node.js:*:*

Версия от 0.0.1 (включая) до 1.3.0 (исключая)

cpe:2.3:a:mdx-mermaid_project:mdx-mermaid:2.0.0:rc1:*:*:*:node.js:*:*

EPSS

Процентиль: 33%

0.00129

Низкий

3.6 Low

CVSS3

7.8 High

CVSS3

Дефекты

CWE-94

Связанные уязвимости

GHSA-rvgm-35jw-q628

CVSS3: 3.6

github

больше 3 лет назад

Improper Control of Generation of Code ('Code Injection') in mdx-mermaid

EPSS

Процентиль: 33%

0.00129

Низкий

3.6 Low

CVSS3

7.8 High

CVSS3

Дефекты

CWE-94