Content & Code Injection (XSS)
Affecting marked package, versions <0.3.6
marked is a markdown parser and compiler used for rendering markdown content to html. It is vulnerable to content injection attack allowing the attacker to bypass its output sanitization (
sanitize: true) protection. Using the HTML Coded Character Set, attackers can inject
alert(1) being executed when the user clicks on the link.
marked to version 0.3.6 or higher.
Also, you can patch the vulnerability using Snyk wizard. Alternatively you can use
remarkable or other markdown libraries.
Snyk patch available for versions:
Do your applications use this vulnerable package?
- Matt Austin
- Snyk ID
- 20 May, 2015
- 20 Apr, 2016