Cross-site Scripting (XSS) via Data URIs

Affecting marked package, versions <0.3.7

high severity

Overview

marked is a markdown parser and compiler used for rendering markdown content to html. Affected versions of the package allowed the use of data: URIs for all mime types by default potentially opening a door for Cross-site Scripting (XSS) attacks.

Details

Data URIs enable embedding small files in line in HTML documents, provided in the URL itself. Attackers can craft malicious web pages containing either HTML or script code that utilizes the data URI scheme, allowing them to bypass access controls or steal sensitive information.

An example of data URI used to deliver javascript code. The data holds <script>alert('XSS')</script> tag in base64 encoded format.

[xss link](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)

Remediation

Upgrade marked to version 0.3.7 or higher. Also, you can patch the vulnerability using Snyk wizard.

References

Snyk patch available for versions:

Do your applications use this vulnerable package?

Credit
Snyk Security Research Team
CVE
CVE-2017-1000427
CWE
CWE-79
Snyk ID
npm:marked:20170112
Disclosed
12 Jan, 2017
Published
30 Jan, 2017