CVE-2018-3770 – markdown-pdf

Package

Manager: npm
Name: markdown-pdf
Vulnerable Version: >=0 <9.0.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0027 pctl0.50198

Details

Remote Code Execution in markdown-pdf Versions of `markdown-pdf` prior to 9.0.0 are vulnerable to Remote Code Execution. The package fails to sanitize HTML code in markdown files. If markdown files with malicious HTML are converted to PDF, the resulting PDF file will execute any JavaScript code in the original markdown file. This may allow attackers to execute Remote Code. ## Recommendation Upgrade to version 9.0.0 or later.

Metadata

Created: 2018-07-27T17:03:46Z
Modified: 2023-03-01T01:36:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-p7c9-jqhq-vr3v/GHSA-p7c9-jqhq-vr3v.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-p7c9-jqhq-vr3v
Finding: F063
Auto approve: 1