CVE-2020-7680

Name of the Vulnerable Software and Affected Versions docsify versions prior to 4.11.4

Description The issue is related to Cross-site Scripting (XSS) and occurs due to the lack of validation in fragment identifiers used by docsify.js to load resources from server-side .md files. This allows an attacker to provide external URLs after the /#/ and render arbitrary JavaScript/HTML inside a docsify page. For example, an attacker could use a URL like 'domain.com/#//attacker.com' to exploit this issue.

Recommendations For versions prior to 4.11.4, update to version 4.11.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the /#/ endpoint to minimize the risk of exploitation. Avoid using external URLs after the /#/ in docsify pages until the issue is resolved.