Versions of the package markdown-to-jsx before 7.4.0 are vulnerable to Cross-site Scripting (XSS) via the src property due to improper input sanitization. An attacker can execute arbitrary code by injecting a malicious iframe element in the markdown.
References
Link | Resource |
---|---|
https://github.com/quantizor/markdown-to-jsx/commit/8eb74da825c0d8d2e9508d73c672bcae36ba555a | Patch |
https://security.snyk.io/vuln/SNYK-JS-MARKDOWNTOJSX-6258886 | Third Party Advisory |
Configurations
History
17 Oct 2024, 20:36
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/quantizor/markdown-to-jsx/commit/8eb74da825c0d8d2e9508d73c672bcae36ba555a - Patch | |
References | () https://security.snyk.io/vuln/SNYK-JS-MARKDOWNTOJSX-6258886 - Third Party Advisory | |
First Time |
Quantizor markdown-to-jsx
Quantizor |
|
CPE | cpe:2.3:a:quantizor:markdown-to-jsx:*:*:*:*:*:*:*:* |
15 Oct 2024, 12:57
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
15 Oct 2024, 05:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-10-15 05:15
Updated : 2024-10-17 20:36
NVD link : CVE-2024-21535
Mitre link : CVE-2024-21535
CVE.ORG link : CVE-2024-21535
JSON object : View
Products Affected
quantizor
- markdown-to-jsx
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')