CVE-2018-6806

Name of the Vulnerable Software and Affected Versions Marked versions 2 through 2.5.11

Description The issue allows remote attackers to read arbitrary files via a crafted HTML document that triggers a redirect to an "x-marked://preview?text=" URL. The value of the text parameter can include arbitrary JavaScript code, for example, making XMLHttpRequest calls.

Recommendations For Marked versions 2 through 2.5.11, as a temporary workaround, consider restricting access to the x-marked://preview endpoint until a patch is available. Avoid using the text parameter in the affected URL to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.