Description

markdown-pdf version 11.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the Markdown content entered by the user.

Remediation

References

https://fluidattacks.com/advisories/relsb/

https://www.npmjs.com/package/markdown-pdf/

Related Vulnerabilities

CVE-2022-1245 Vulnerability in maven package org.keycloak:keycloak-services

CVE-2021-44868 Vulnerability in maven package net.mingsoft:ms-mcms

CVE-2022-24802 Vulnerability in npm package deepmerge-ts

CVE-2021-39176 Vulnerability in npm package detect-character-encoding

CVE-2021-41183 Vulnerability in maven package org.webjars.npm:jquery-ui

Severity

Critical

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Tags

Exploit Third Party Advisory Product