Lucene search
HackeroneCVELIST:CVE-2016-10531HistoryApr 26, 2018 - 12:00 a.m.
CVE-2016-10531
2018-04-2600:00:00
CWE-79
hackerone
www.cve.org
2
marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it’s possible to bypass marked’s content injection protection (sanitize: true) to inject a javascript: URL. This flaw exists because &#xNNanything; gets parsed to what it could and leaves the rest behind, resulting in just anything; being left.
CNA Affected
[
{
"product": "marked node module",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "<=0.3.5"
}
]
}
]Related
osv
osv
CVE-2016-10531
2018-05-31 20:29:01
Sanitization bypass using HTML Entities in marked
2019-02-18 23:58:20
nodejs
nodejs
Sanitization bypass using HTML Entities
2016-04-18 16:26:59
github
github
Sanitization bypass using HTML Entities in marked
2019-02-18 23:58:20
nvd
nvd
CVE-2016-10531
2018-05-31 20:29:01
CVE-2016-1000013
2018-06-17 20:29:00
prion
prion
Code injection
2018-05-31 20:29:00
Design/Logic Flaw
2018-06-17 20:29:00
cve
cve
CVE-2016-10531
2018-05-31 20:29:01
CVE-2016-1000013
2018-06-17 20:29:00
ubuntucve
ubuntucve
CVE-2016-10531
2018-05-31 00:00:00
debiancve
debiancve
CVE-2016-10531
2018-05-31 20:29:01
