RSS   Vulnerabilities for 'Marked'   RSS

2021-02-08
 
CVE-2021-21306

CWE-400
 
 
Marked is an open-source markdown parser and compiler (npm package "marked"). In marked from version 1.1.1 and before version 2.0.0, there is a Regular expression Denial of Service vulnerability. This vulnerability can affect anyone who runs user generated code through marked. This vulnerability is fixed in version 2.0.0.

 
2020-01-06
 
CVE-2014-3743

CWE-79
 
 
Multiple cross-site scripting (XSS) vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) gfm codeblocks (language) or (2) javascript url's.

 
2018-06-06
 
CVE-2017-16114

CWE-400
 
 
The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.

 
2018-05-31
 
CVE-2016-10531

CWE-79
 
 
marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left.

 
2018-01-02
 
CVE-2017-1000427

CWE-79
 
 
marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser.

 
2015-01-27
 
CVE-2015-1370

CWE-Other
 
 
Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks via a vbscript tag in a link.

 

Copyright 2024, cxsecurity.com

 

Back to Top