You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial of service (ReDoS)."
Versions 0.3.7 and earlier of marked When mangling is disabled via option mangle don't escape target href are vulnerable to XSS, which allows an attacker to inject arbitrary code.
marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (sanitize: true) to inject a javascript: URL. This flaw exists because &#xNNanything; gets parsed to what it could and leaves the rest behind, resulting in just anything; being left.
Multiple cross-site scripting (XSS) vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) gfm codeblocks (language) or (2) javascript url's.
marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.
Versions 0.3.17 and earlier of marked has Four regexes were vulnerable to catastrophic backtracking. This leaves markdown servers open to a potential REDOS attack.
Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks via a vbscript tag in a link.
Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.
Reflected cross-site scripting vulnerabilities occur when unescaped input is displayed in the resulting page displayed to the user. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context.
Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.
Micro-Learning Topic: Denial of service (Detected by phrase)
Matched on "denial of service"
The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service
✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
Vulnerable Library - marked-0.2.3.js
A markdown parser built for speed
Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.2.3/marked.js
Path to vulnerable library: /serviciosacademicos/PlanTrabajoDocenteV2/js/libs/marked.js
Found in HEAD commit: 2265875321fc6aedc20a6cbfb8dc5453f1e64f27
Vulnerabilities
Details
CVE-2015-8854
Vulnerable Library - marked-0.2.3.js
A markdown parser built for speed
Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.2.3/marked.js
Path to vulnerable library: /serviciosacademicos/PlanTrabajoDocenteV2/js/libs/marked.js
Dependency Hierarchy:
Found in HEAD commit: 2265875321fc6aedc20a6cbfb8dc5453f1e64f27
Found in base branch: master
Vulnerability Details
The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial of service (ReDoS)."
Publish Date: 2017-01-23
URL: CVE-2015-8854
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-8854
Release Date: 2017-01-23
Fix Resolution: 0.3.4
Step up your Open Source Security Game with WhiteSource here
WS-2018-0031
Vulnerable Library - marked-0.2.3.js
A markdown parser built for speed
Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.2.3/marked.js
Path to vulnerable library: /serviciosacademicos/PlanTrabajoDocenteV2/js/libs/marked.js
Dependency Hierarchy:
Found in HEAD commit: 2265875321fc6aedc20a6cbfb8dc5453f1e64f27
Found in base branch: master
Vulnerability Details
The affected versions (through 0.3.5) in marked package are vulnerable to Cross-Site Scripting (XSS) Due To Sanitization Bypass Using HTML Entities
Publish Date: 2018-03-23
URL: WS-2018-0031
CVSS 3 Score Details (7.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: markedjs/marked#592
Release Date: 2018-03-23
Fix Resolution: 0.3.6
Step up your Open Source Security Game with WhiteSource here
WS-2019-0026
Vulnerable Library - marked-0.2.3.js
A markdown parser built for speed
Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.2.3/marked.js
Path to vulnerable library: /serviciosacademicos/PlanTrabajoDocenteV2/js/libs/marked.js
Dependency Hierarchy:
Found in HEAD commit: 2265875321fc6aedc20a6cbfb8dc5453f1e64f27
Found in base branch: master
Vulnerability Details
Versions 0.3.7 and earlier of marked suuport unescaping of only lowercase, which may lead to XSS.
Publish Date: 2017-12-23
URL: WS-2019-0026
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: markedjs/marked@6d1901f
Release Date: 2017-12-23
Fix Resolution: 0.3.9
Step up your Open Source Security Game with WhiteSource here
WS-2019-0025
Vulnerable Library - marked-0.2.3.js
A markdown parser built for speed
Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.2.3/marked.js
Path to vulnerable library: /serviciosacademicos/PlanTrabajoDocenteV2/js/libs/marked.js
Dependency Hierarchy:
Found in HEAD commit: 2265875321fc6aedc20a6cbfb8dc5453f1e64f27
Found in base branch: master
Vulnerability Details
Versions 0.3.7 and earlier of marked When mangling is disabled via option mangle don't escape target href are vulnerable to XSS, which allows an attacker to inject arbitrary code.
Publish Date: 2017-12-23
URL: WS-2019-0025
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: markedjs/marked@cb72584
Release Date: 2017-12-23
Fix Resolution: 0.3.9
Step up your Open Source Security Game with WhiteSource here
CVE-2016-10531
Vulnerable Library - marked-0.2.3.js
A markdown parser built for speed
Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.2.3/marked.js
Path to vulnerable library: /serviciosacademicos/PlanTrabajoDocenteV2/js/libs/marked.js
Dependency Hierarchy:
Found in HEAD commit: 2265875321fc6aedc20a6cbfb8dc5453f1e64f27
Found in base branch: master
Vulnerability Details
marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (
sanitize: true
) to inject ajavascript:
URL. This flaw exists because&#xNNanything;
gets parsed to what it could and leaves the rest behind, resulting in justanything;
being left.Publish Date: 2018-05-31
URL: CVE-2016-10531
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10531
Release Date: 2018-05-31
Fix Resolution: 0.3.6
Step up your Open Source Security Game with WhiteSource here
CVE-2014-3743
Vulnerable Library - marked-0.2.3.js
A markdown parser built for speed
Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.2.3/marked.js
Path to vulnerable library: /serviciosacademicos/PlanTrabajoDocenteV2/js/libs/marked.js
Dependency Hierarchy:
Found in HEAD commit: 2265875321fc6aedc20a6cbfb8dc5453f1e64f27
Found in base branch: master
Vulnerability Details
Multiple cross-site scripting (XSS) vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) gfm codeblocks (language) or (2) javascript url's.
Publish Date: 2020-01-06
URL: CVE-2014-3743
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3743
Release Date: 2020-01-06
Fix Resolution: marked - 0.3.1
Step up your Open Source Security Game with WhiteSource here
CVE-2017-1000427
Vulnerable Library - marked-0.2.3.js
A markdown parser built for speed
Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.2.3/marked.js
Path to vulnerable library: /serviciosacademicos/PlanTrabajoDocenteV2/js/libs/marked.js
Dependency Hierarchy:
Found in HEAD commit: 2265875321fc6aedc20a6cbfb8dc5453f1e64f27
Found in base branch: master
Vulnerability Details
marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser.
Publish Date: 2018-01-02
URL: CVE-2017-1000427
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000427
Release Date: 2018-01-02
Fix Resolution: 0.3.7
Step up your Open Source Security Game with WhiteSource here
WS-2020-0163
Vulnerable Library - marked-0.2.3.js
A markdown parser built for speed
Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.2.3/marked.js
Path to vulnerable library: /serviciosacademicos/PlanTrabajoDocenteV2/js/libs/marked.js
Dependency Hierarchy:
Found in HEAD commit: 2265875321fc6aedc20a6cbfb8dc5453f1e64f27
Found in base branch: master
Vulnerability Details
marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.
Publish Date: 2020-07-02
URL: WS-2020-0163
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://github.com/markedjs/marked/releases/tag/v1.1.1
Release Date: 2020-07-02
Fix Resolution: marked - 1.1.1
Step up your Open Source Security Game with WhiteSource here
WS-2019-0209
Vulnerable Library - marked-0.2.3.js
A markdown parser built for speed
Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.2.3/marked.js
Path to vulnerable library: /serviciosacademicos/PlanTrabajoDocenteV2/js/libs/marked.js
Dependency Hierarchy:
Found in HEAD commit: 2265875321fc6aedc20a6cbfb8dc5453f1e64f27
Found in base branch: master
Vulnerability Details
marked before 0.7.0 vulnerable to Redos attack by he _label subrule that may significantly degrade parsing performance of malformed input.
Publish Date: 2019-07-04
URL: WS-2019-0209
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1076
Release Date: 2019-07-04
Fix Resolution: 0.7.0
Step up your Open Source Security Game with WhiteSource here
WS-2019-0027
Vulnerable Library - marked-0.2.3.js
A markdown parser built for speed
Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.2.3/marked.js
Path to vulnerable library: /serviciosacademicos/PlanTrabajoDocenteV2/js/libs/marked.js
Dependency Hierarchy:
Found in HEAD commit: 2265875321fc6aedc20a6cbfb8dc5453f1e64f27
Found in base branch: master
Vulnerability Details
Versions 0.3.17 and earlier of marked has Four regexes were vulnerable to catastrophic backtracking. This leaves markdown servers open to a potential REDOS attack.
Publish Date: 2018-02-26
URL: WS-2019-0027
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: markedjs/marked@b15e42b
Release Date: 2018-02-26
Fix Resolution: 0.3.18
Step up your Open Source Security Game with WhiteSource here
WS-2018-0628
Vulnerable Library - marked-0.2.3.js
A markdown parser built for speed
Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.2.3/marked.js
Path to vulnerable library: /serviciosacademicos/PlanTrabajoDocenteV2/js/libs/marked.js
Dependency Hierarchy:
Found in HEAD commit: 2265875321fc6aedc20a6cbfb8dc5453f1e64f27
Found in base branch: master
Vulnerability Details
marked before 0.4.0 is vulnerable to Regular Expression Denial of Service (REDoS) through heading in marked.js.
Publish Date: 2018-04-16
URL: WS-2018-0628
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://github.com/markedjs/marked/releases/tag/0.4.0
Release Date: 2018-04-16
Fix Resolution: marked - 0.4.0
Step up your Open Source Security Game with WhiteSource here
CVE-2015-1370
Vulnerable Library - marked-0.2.3.js
A markdown parser built for speed
Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.2.3/marked.js
Path to vulnerable library: /serviciosacademicos/PlanTrabajoDocenteV2/js/libs/marked.js
Dependency Hierarchy:
Found in HEAD commit: 2265875321fc6aedc20a6cbfb8dc5453f1e64f27
Found in base branch: master
Vulnerability Details
Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks via a vbscript tag in a link.
Publish Date: 2015-01-27
URL: CVE-2015-1370
CVSS 3 Score Details (3.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-1370
Release Date: 2015-01-27
Fix Resolution: polymer-core-elements - 0.5.5;z4a-dotnet-scaffold - 1.0.0.3;marked - 0.3.0,0.3.3;marked - 0.3.3
Step up your Open Source Security Game with WhiteSource here
The text was updated successfully, but these errors were encountered: