Search for packages
| purl | pkg:npm/marked@0.2.8 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1vxb-uvrf-63fn
Aliases: GMS-2016-24 |
Sanitization bypass using HTML Entities Due to the way that marked parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left. |
Affected by 7 other vulnerabilities. |
|
VCID-34a4-7ede-7qfd
Aliases: CVE-2015-1370 GHSA-cfjh-p3g4-3q2f |
VBScript Content Injection in marked |
Affected by 10 other vulnerabilities. |
|
VCID-686c-bk5y-k7gr
Aliases: CVE-2018-25110 GHSA-p9wx-2529-fp83 |
Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially crafted markdown input, such as deeply nested or repetitively structured brackets or tag attributes, which cause the parser to hang and lead to a Denial of Service. |
Affected by 3 other vulnerabilities. |
|
VCID-8wcn-cw8p-57e8
Aliases: CVE-2017-16114 GHSA-x5pg-88wf-qq4p |
Regular Expression Denial of Service in marked |
Affected by 3 other vulnerabilities. |
|
VCID-9wvm-us1k-6bhs
Aliases: CVE-2022-21680 GHSA-rrrm-qjm4-v8hf |
Inefficient Regular Expression Complexity in marked |
Affected by 0 other vulnerabilities. |
|
VCID-bcyk-4f2v-xkdv
Aliases: CVE-2017-17461 GHSA-crmx-v835-hcp4 |
Moderate severity vulnerability that affects marked |
Affected by 3 other vulnerabilities. |
|
VCID-dcts-5pkt-tfh7
Aliases: GHSA-32vw-r77c-gm67 |
Withdrawn Advisory: marked cross-site scripting vulnerability |
Affected by 10 other vulnerabilities. |
|
VCID-dn5c-n7r6-pqb4
Aliases: GMS-2015-1 |
Regular expression denial of service Marked is vulnerable to regular expression denial of service (ReDoS) when certain types of input are passed in to be parsed. |
Affected by 9 other vulnerabilities. |
|
VCID-e79f-8rxd-q3e6
Aliases: CVE-2016-10531 GHSA-vfvf-mqq8-rwqc |
Sanitization bypass using HTML Entities in marked |
Affected by 7 other vulnerabilities. |
|
VCID-fczp-sf61-7bft
Aliases: GMS-2017-212 |
Regular Expression Denial of Service The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds. |
Affected by 3 other vulnerabilities. |
|
VCID-jmm3-pphv-nygr
Aliases: CVE-2015-8854 GHSA-hjcp-j389-59ff |
Regular Expression Denial of Service in marked |
Affected by 9 other vulnerabilities. |
|
VCID-qf5t-nkv6-duac
Aliases: CVE-2022-21681 GHSA-5v2h-r2cx-5xgj |
Inefficient Regular Expression Complexity in marked |
Affected by 0 other vulnerabilities. |
|
VCID-u8kt-219c-pfgv
Aliases: CVE-2014-1850 |
Multiple Content Injection Vulnerabilities Marked comes with an option to sanitize user output to help protect against content injection attacks. ```sanitize: true``` Even if this option is set, marked is vulnerable to content injection in multiple locations if untrusted user input is allowed to be provided into marked and that output is passed to the browser. Injection is possible in two locations - gfm codeblocks (language) - javascript url's |
Affected by 13 other vulnerabilities. |
|
VCID-uqqa-ue5d-fyc3
Aliases: CVE-2017-1000427 GHSA-7px7-7xjx-hxm8 |
Marked vulnerable to XSS from data URIs |
Affected by 5 other vulnerabilities. |
|
VCID-w9r3-9t8g-fubv
Aliases: CVE-2014-3743 GHSA-9cw2-jqp5-7x39 |
Multiple cross-site scripting (XSS) vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) gfm codeblocks (language) or (2) javascript url's. |
Affected by 13 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||