Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/270364?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/270364?format=api", "purl": "pkg:npm/marky-markdown@3.0.0", "type": "npm", "namespace": "", "name": "marky-markdown", "version": "3.0.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/53367?format=api", "vulnerability_id": "VCID-j19n-gs88-mfhx", "summary": "HTML Injection in marky-markdown\nAll versions of `marky-markdown` are vulnerable to HTML Injection. The package fails to sanitize `style` attributes in `img` tags of the markdown input. This may allow attackers to affect the size of images in the rendered HTML. ## Recommendation\n\nThis package is no longer maintained. Please upgrade to `@npmcorp/marky-markdown`", "references": [ { "reference_url": "https://github.com/npm/marky-markdown", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/npm/marky-markdown" }, { "reference_url": "https://snyk.io/vuln/SNYK-JS-MARKYMARKDOWN-548871", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://snyk.io/vuln/SNYK-JS-MARKYMARKDOWN-548871" }, { "reference_url": "https://www.npmjs.com/advisories/1470", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/1470" }, { "reference_url": "https://github.com/advisories/GHSA-mg69-6j3m-jvgw", "reference_id": "GHSA-mg69-6j3m-jvgw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mg69-6j3m-jvgw" } ], "fixed_packages": [], "aliases": [ "GHSA-mg69-6j3m-jvgw", "GMS-2020-370" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j19n-gs88-mfhx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/53398?format=api", "vulnerability_id": "VCID-ujju-2pf6-qqc6", "summary": "HTML Injection in marky-markdown\nAll versions of `marky-markdown` are vulnerable to HTML Injection due to a validation bypass. The package only allows iframes where the source is `youtube.com` but it is possible to bypass the validation with sources where `youtube.com` is the sub-domain, such as `youtube.com.evil.co`. This This package is no longer maintained. Please upgrade to `@npmcorp/marky-markdown`", "references": [ { "reference_url": "https://github.com/npm/marky-markdown", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/npm/marky-markdown" }, { "reference_url": "https://www.npmjs.com/advisories/1471", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/1471" }, { "reference_url": "https://github.com/advisories/GHSA-pxmp-fwjc-4x7q", "reference_id": "GHSA-pxmp-fwjc-4x7q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pxmp-fwjc-4x7q" } ], "fixed_packages": [], "aliases": [ "GHSA-pxmp-fwjc-4x7q", "GMS-2020-371" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ujju-2pf6-qqc6" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/marky-markdown@3.0.0" }