PT-2022-7696 · Npm · @Marp-Team/Marp-Core
Ry0Tak
·
Published
2022-01-23
·
Updated
2024-12-26
·
CVE-2024-56510
CVSS v3.1
5.3
Medium
| Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
@marp-team/marp-core versions 3.0.2 through 3.9.0
@marp-team/marp-core version 4.0.0
Description
The issue is related to cross-site scripting (XSS) due to improper neutralization of HTML sanitization. This can allow an attacker to conduct cross-site scripting attacks. The built-in allowlist in the HTML sanitizer is enabled by default, and if insufficient HTML comments are included, the sanitizer may fail to properly sanitize HTML content, leading to XSS.
Recommendations
For @marp-team/marp-core versions 3.0.2 through 3.9.0, update to version 3.9.1 or later.
For @marp-team/marp-core version 4.0.0, update to version 4.0.1 or later.
As a temporary workaround, consider disabling all HTML tags by setting
html: false option in the Marp class constructor, for example:const marp = new Marp({ html: false })Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Marp-Team/Marp-Core