GitHub Advisory DatabaseGHSA-QJ3F-9GMQ-FWV5Cross-Site Scripting in simple-markdown
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
51.0%
Versions of simple-markdown prior to 0.4.4 are vulnerable to Cross-Site Scripting. Due to insufficient input sanitization the package may render output containing malicious JavaScript. This vulnerability can be exploited through input of links containing data or VBScript URIs and a base64-encoded payload.
Recommendation
Upgrade to version 0.4.4 or later.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| khanacademy | simple-markdown | * | cpe:2.3:a:khanacademy:simple-markdown:*:*:*:*:*:node.js:*:* |
References
github.com/advisories/GHSA-qj3f-9gmq-fwv5
github.com/Khan/simple-markdown/pull/63
lists.fedoraproject.org/archives/list/[email protected]/message/JFLP3KJVSV5VWMNEBRXLGRVYFXOV5KOG/
lists.fedoraproject.org/archives/list/[email protected]/message/KZG2I7VH7WLSEUQ77KYP5CRAVFT2RK2U/
lists.fedoraproject.org/archives/list/[email protected]/message/O5EFW655O3BXZYAPB65XEREXB2DSNSOT/
nvd.nist.gov/vuln/detail/CVE-2019-9844
www.npmjs.com/advisories/815
www.npmjs.com/package/simple-markdown/v/0.4.4
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
51.0%