GHSA-mq6v-w35g-3c97 – zmarkdown

Package

Manager: npm
Name: zmarkdown
Vulnerable Version: >=0 <10.1.3

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Local File Inclusion vulnerability in zmarkdown ### Impact A minor Local File Inclusion vulnerability has been found in `zmarkdown`, which allowed for images with a known path on the host machine to be included inside a LaTeX document. To prevent it, a new option has been created that allow to replace invalid paths with a default image instead of linking the image on the host directly. `zmarkdown` has been updated to make this setting the default. Every user of `zmarkdown` is likely impacted, except if disabling LaTeX generation or images download. Here is an example of including an image from an invalid path: ```markdown  ``` Will effectively redownload and include the image found at `/tmp/img.png`. ### Patches The vulnerability has been patched in version 10.1.3. If impacted, you should update to this version as soon as possible. ### Workarounds Disable images downloading, or sanitize paths. ### For more information If you have any questions or comments about this advisory, open an issue in [ZMarkdown](https://github.com/zestedesavoir/zmarkdown/issues).

Metadata

Created: 2024-02-03T00:37:56Z
Modified: 2024-05-14T22:01:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-mq6v-w35g-3c97/GHSA-mq6v-w35g-3c97.json
CWE IDs: []
Alternative ID: N/A
Finding: F123
Auto approve: 1