VBScript Content Injection

Affecting marked package, versions <0.3.3

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

marked is a low-level compiler for parsing markdown without caching or blocking for long periods of time.

Affected versions of this package are vulnerable to VBScript Content Injection. [xss link](vbscript:alert(1&#41;)

will get a link

<a href="vbscript:alert(1)">xss link</a>

This script does not work in IE 11 edge mode, but works in IE 10 compatibility view.

Remediation

Upgrade marked to version 0.3.3 or higher.

References

Snyk patch available for versions:

CVSS Score

6.5
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Credit
Xiao Long
CVE
CVE-2015-1370
CWE
CWE-74
Snyk ID
npm:marked:20140131-2
Disclosed
30 Jan, 2014
Published
30 Jan, 2014