PT-2020-19784 · Markdown It · Markdown-It-Highlightjs

Ooooooo_Q

Published

2020-11-16

Updated

2022-02-10

CVE-2020-7773

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions markdown-it-highlightjs versions prior to 3.3.1

Description This issue allows malicious JavaScript to be inserted as a value of lang in the markdown-it-highlightjs Inline code highlighting feature. The vulnerability can be exploited by manipulating the lang value, enabling the execution of malicious code.

Recommendations For versions prior to 3.3.1, update to version 3.3.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the lang parameter in the markdown-it-highlightjs Inline code highlighting feature to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2020-7773

GHSA-F246-XRRJ-G8J6

SNYK-JS-MARKDOWNITHIGHLIGHTJS-1040461

Affected Products

Markdown-It-Highlightjs

PT-2020-19784 · Markdown It · Markdown-It-Highlightjs

CVE-2020-7773

Weakness Enumeration

Related Identifiers

Affected Products

References · 8