Cross-site Scripting (XSS) Affecting moemark package, versions *
Threat Intelligence
Exploit Maturity
Mature
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-MOEMARK-1083284
- published 9 Mar 2021
- disclosed 10 Dec 2017
- credit silviavali
How to fix?
There is no fixed version for moemark
.
Overview
moemark is a Moeditor's markdown parser, forked from marked.
Affected versions of this package are vulnerable to Cross-site Scripting (XSS). Malicious JavaScript can be inserted as part of a .md
file. This can be leveraged to execute arbitrary commands on a victim's system due to nodeIntegration
being enabled on moeditor
. This issue exists due to no sanitization in momark
.
PoC
<onmouseover="alert(1)"> <s onmouseover="var os = require('os'); var hostname = os.platform(); var homedir = os.homedir(); alert('Host:' + hostname + 'directory: ' + homedir);">Hallo</s>
References
CVSS Scores
version 3.1