Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/marked@0.3.6
Typenpm
Namespace
Namemarked
Version0.3.6
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version0.3.7
Latest_non_vulnerable_version4.0.10
Affected_by_vulnerabilities
0
url VCID-edfz-a78w-13dh
vulnerability_id VCID-edfz-a78w-13dh
summary 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
marked is vulnerable to an XSS attack in the data: URI parser.
references
0
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BO2RMVVZVV6NFTU46B5RYRK7ZCXYARZS/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BO2RMVVZVV6NFTU46B5RYRK7ZCXYARZS/
1
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6BJG6RGDH7ZWVVAUFBFI5L32RSMQN2S/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6BJG6RGDH7ZWVVAUFBFI5L32RSMQN2S/
2
reference_url https://snyk.io/vuln/npm:marked:20170112
reference_id
reference_type
scores
url https://snyk.io/vuln/npm:marked:20170112
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2017-1000427
reference_id CVE-2017-1000427
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2017-1000427
fixed_packages
0
url pkg:npm/marked@0.3.7
purl pkg:npm/marked@0.3.7
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/marked@0.3.7
aliases CVE-2017-1000427
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-edfz-a78w-13dh
Fixing_vulnerabilities
0
url VCID-5bd3-3bhj-e7hr
vulnerability_id VCID-5bd3-3bhj-e7hr
summary 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
marked is an application that is meant to parse and compile markdown. Due to the way that marked parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left.
references
0
reference_url https://github.com/chjj/marked/pull/592
reference_id
reference_type
scores
url https://github.com/chjj/marked/pull/592
1
reference_url https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523
reference_id
reference_type
scores
url https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523
2
reference_url https://nodesecurity.io/advisories/101
reference_id
reference_type
scores
url https://nodesecurity.io/advisories/101
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2016-10531
reference_id CVE-2016-10531
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2016-10531
fixed_packages
0
url pkg:npm/marked@0.3.6
purl pkg:npm/marked@0.3.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-edfz-a78w-13dh
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/marked@0.3.6
aliases CVE-2016-10531
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5bd3-3bhj-e7hr
1
url VCID-7hw9-qfnv-gkcr
vulnerability_id VCID-7hw9-qfnv-gkcr
summary 
Sanitization bypass using HTML Entities
Due to the way that marked parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left.
references
0
reference_url https://github.com/chjj/marked/pull/592
reference_id
reference_type
scores
url https://github.com/chjj/marked/pull/592
1
reference_url https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523
reference_id
reference_type
scores
url https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523
fixed_packages
0
url pkg:npm/marked@0.3.6
purl pkg:npm/marked@0.3.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-edfz-a78w-13dh
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/marked@0.3.6
aliases GMS-2016-24
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7hw9-qfnv-gkcr
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/marked@0.3.6