VBScript Content Injection Affecting marked Open this link in a new tab package, versions <0.3.3
Attack Complexity
Low
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
npm:marked:20140131-2
-
published
30 Jan 2014
-
disclosed
30 Jan 2014
-
credit
Xiao Long
Introduced: 30 Jan 2014
CVE-2015-1370 Open this link in a new tabHow to fix?
Upgrade marked
to version 0.3.3 or higher.
Overview
marked is a low-level compiler for parsing markdown without caching or blocking for long periods of time.
Affected versions of this package are vulnerable to VBScript Content Injection. [xss link](vbscript:alert(1))
will get a link
<a href="vbscript:alert(1)">xss link</a>
This script does not work in IE 11 edge mode, but works in IE 10 compatibility view.