CVE-2021-23342

Name of the Vulnerable Software and Affected Versions docsify versions prior to 4.12.0

Description The issue allows for the bypass of previous remediation efforts, enabling the execution of malicious JavaScript through two methods. Firstly, when parsing HTML from remote URLs, the main page's HTML code is sanitized, but this sanitization does not occur in the sidebar. Secondly, the isURL external check can be bypassed by inserting additional //// characters.

Recommendations For versions prior to 4.12.0, update to version 4.12.0 or later to resolve the issue. As a temporary workaround, consider disabling the parsing of HTML from remote URLs or restricting the use of the sidebar until a patch is available. Avoid using the isURL external check with URLs containing multiple //// characters until the issue is resolved.