Content & Code Injection (XSS)

Affecting marked package, versions <0.3.6

high severity

Overview

marked is a markdown parser and compiler used for rendering markdown content to html. It is vulnerable to content injection attack allowing the attacker to bypass its output sanitization (sanitize: true) protection. Using the HTML Coded Character Set, attackers can inject javascript: code snippets into the output. For example, the following input javascript&#x58document;alert&#40;1&#41; will result in alert(1) being executed when the user clicks on the link.

Remediation

Upgrade marked to version 0.3.6 or higher. Also, you can patch the vulnerability using Snyk wizard. Alternatively you can use remarkable or other markdown libraries.

References

Snyk patch available for versions:

Do your applications use this vulnerable package?

Credit
Matt Austin
CWE
CWE-79
Snyk ID
npm:marked:20150520
Disclosed
20 May, 2015
Published
20 Apr, 2016