CyberSec.Space Logo
返回 CVE 瀏覽器

CVE-2021-39199

CRITICAL
10.0
CVSS Severity Score
EPSS Score0.0600%
EPSS Percentile20.30th
Published2021年9月7日
Last Modified2024年11月21日

Vulnerability Description

remark-html is an open source nodejs library which compiles Markdown to HTML. In affected versions the documentation of remark-html has mentioned that it was safe by default. In practice the default was never safe and had to be opted into. That is, user input was not sanitized. This means arbitrary HTML can be passed through leading to potential XSS attacks. The problem has been patched in 13.0.2 and 14.0.1: `remark-html` is now safe by default, and the implementation matches the documentation. On older affected versions, pass `sanitize: true` if you cannot update.

Affected Platforms (CPE)

📦
Remark

Remark Html

< 13.0.2
📦
Remark

Remark Html

>= 14.0.0 and < 14.0.1

References & Advisories

🔗 https://github.com/remarkjs/remark-html/commit/b75c9dde582ad87ba498e369c033dc8a350478c1
🔗 https://github.com/remarkjs/remark-html/releases/tag/14.0.1
🔗 https://github.com/remarkjs/remark-html/security/advisories/GHSA-9q5w-79cv-947m
🔗 https://www.npmjs.com/package/remark-html
🔗 https://github.com/remarkjs/remark-html/commit/b75c9dde582ad87ba498e369c033dc8a350478c1
🔗 https://github.com/remarkjs/remark-html/releases/tag/14.0.1
🔗 https://github.com/remarkjs/remark-html/security/advisories/GHSA-9q5w-79cv-947m
🔗 https://www.npmjs.com/package/remark-html

相關漏洞威脅

CVE-2006-14364.3

Multiple cross-site scripting (XSS) vulnerabilities in UPOINT @1 Event Publisher allow remote attackers to inject arbitrary web sc...

CVE-2008-45204.3

Cross-site scripting (XSS) vulnerability in bulk_update.pl in AutoNessus before 1.2.2 allows remote attackers to inject arbitrary ...

CVE-2021-4155610.0

sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows an out-of-bounds read (in the core interpreter) that can lead to ...

CVE-2021-3467910.0

Thycotic Password Reset Server before 5.3.0 allows credential disclosure.