CVE-2023-0835 – markdown-pdf

Package

Manager: npm
Name: markdown-pdf
Vulnerable Version: >=0 <=11.0.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00108 pctl0.29658

Details

markdown-pdf vulnerable to local file read via server side cross-site scripting (XSS) markdown-pdf version 11.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the Markdown content entered by the user.

Metadata

Created: 2023-04-05T00:30:38Z
Modified: 2025-02-13T18:51:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-qghr-877h-f9jh/GHSA-qghr-877h-f9jh.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-qghr-877h-f9jh
Finding: F425
Auto approve: 1