Back to CVE Browser

CVE-2021-39199

CRITICAL

10.0

CVSS Severity Score

EPSS Score0.0600%

EPSS Percentile20.30th

PublishedSep 7, 2021

Last ModifiedNov 21, 2024

Vulnerability Description

remark-html is an open source nodejs library which compiles Markdown to HTML. In affected versions the documentation of remark-html has mentioned that it was safe by default. In practice the default was never safe and had to be opted into. That is, user input was not sanitized. This means arbitrary HTML can be passed through leading to potential XSS attacks. The problem has been patched in 13.0.2 and 14.0.1: `remark-html` is now safe by default, and the implementation matches the documentation. On older affected versions, pass `sanitize: true` if you cannot update.

Affected Platforms (CPE)

📦

Remark

Remark Html

< 13.0.2

📦

Remark

Remark Html

>= 14.0.0 and < 14.0.1

References & Advisories

🔗 https://github.com/remarkjs/remark-html/commit/b75c9dde582ad87ba498e369c033dc8a350478c1

🔗 https://github.com/remarkjs/remark-html/releases/tag/14.0.1

🔗 https://github.com/remarkjs/remark-html/security/advisories/GHSA-9q5w-79cv-947m

🔗 https://www.npmjs.com/package/remark-html

🔗 https://github.com/remarkjs/remark-html/commit/b75c9dde582ad87ba498e369c033dc8a350478c1

🔗 https://github.com/remarkjs/remark-html/releases/tag/14.0.1

🔗 https://github.com/remarkjs/remark-html/security/advisories/GHSA-9q5w-79cv-947m

🔗 https://www.npmjs.com/package/remark-html

Related Vulnerabilities

CVE-2006-14364.3

Multiple cross-site scripting (XSS) vulnerabilities in UPOINT @1 Event Publisher allow remote attackers to inject arbitrary web sc...

CVE-2008-45204.3

Cross-site scripting (XSS) vulnerability in bulk_update.pl in AutoNessus before 1.2.2 allows remote attackers to inject arbitrary ...

CVE-2021-3467910.0

Thycotic Password Reset Server before 5.3.0 allows credential disclosure.

CVE-2021-021110.0

An improper check for unusual or exceptional conditions in Juniper Networks Junos OS and Junos OS Evolved Routing Protocol Daemon ...