Description

markdown-pdf version 11.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the Markdown content entered by the user.

Remediation

References

https://fluidattacks.com/advisories/relsb/

https://www.npmjs.com/package/markdown-pdf/

Related Vulnerabilities

CVE-2022-23621 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore

CVE-2022-47551 Vulnerability in maven package io.apiman:apiman-manager-api-rest-impl

CVE-2022-25898 Vulnerability in maven package org.webjars.bower:jsrsasign

CVE-2022-1295 Vulnerability in maven package org.webjars.bowergithub.alvarotrigo:fullpage.js

CVE-2020-8124 Vulnerability in maven package org.webjars.npm:url-parse

Severity

Critical

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Tags

Exploit Third Party Advisory Product