Description

Multiple cross-site scripting (XSS) vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) gfm codeblocks (language) or (2) javascript url's.

Remediation

References

http://www.openwall.com/lists/oss-security/2014/05/13/1

http://www.openwall.com/lists/oss-security/2014/05/15/2

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3743

https://nodesecurity.io/advisories/marked_multiple_content_injection_vulnerabilities

Related Vulnerabilities

CVE-2019-20330 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2019-1003026 Vulnerability in maven package org.jenkins-ci.plugins:mattermost

CVE-2018-1000873 Vulnerability in maven package com.fasterxml.jackson.datatype:jackson-datatype-jsr310

CVE-2020-27219 Vulnerability in maven package org.eclipse.hawkbit:hawkbit-update-server

CVE-2022-29251 Vulnerability in maven package org.xwiki.platform:xwiki-platform-flamingo-theme-ui

Severity

High

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Mailing List Third Party Advisory Issue Tracking Broken Link