The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade katex
to version 0.16.10 or higher.
katex is a Fast math typesetting for the web.
Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs due to the trust
option. Specifically, the functionality that provides a function to blacklist certain URL protocols, can be bypassed by URLs in malicious inputs that utilize uppercase characters in the protocol. This can allow for the generation of javascript:
links in the output, even when the trust
function is designed to forbid this protocol.
Users can apply the following steps to mitigate the vulnerability:
Allow-list instead of block protocols in your trust function.
Manually lowercase context.protocol via context.protocol.toLowerCase() before attempting to check for certain protocols.
Avoid use of or turn off the trust option.