CVE-2016-10531 - OpenCVE

marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Marked Project	Marked

Configuration 1 [-]

cpe:2.3:a:marked_project:marked:*:*:*:*:*:node.js:*:*

References

Link	Resource
https://github.com/chjj/marked/pull/592	Exploit Issue Tracking Third Party Advisory
https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523	Patch Third Party Advisory
https://nodesecurity.io/advisories/101	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: hackerone

Published: 2018-04-26T00:00:00

Updated: 2018-05-31T19:57:01

Reserved: 2017-10-29T00:00:00

Link: CVE-2016-10531

JSON object: View

NVD Information

Status : Modified

Published: 2018-05-31T20:29:01.033

Modified: 2019-10-09T23:16:43.620

Link: CVE-2016-10531

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "marked node module", "vendor": "HackerOne", "versions": [{"status": "affected", "version": "<=0.3.5"}]}], "datePublic": "2018-04-26T00:00:00", "descriptions": [{"lang": "en", "value": "marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Cross-site Scripting (XSS) - Generic (CWE-79)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-05-31T19:57:01", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://nodesecurity.io/advisories/101"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/chjj/marked/pull/592"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "DATE_PUBLIC": "2018-04-26T00:00:00", "ID": "CVE-2016-10531", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "marked node module", "version": {"version_data": [{"version_value": "<=0.3.5"}]}}]}, "vendor_name": "HackerOne"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross-site Scripting (XSS) - Generic (CWE-79)"}]}]}, "references": {"reference_data": [{"name": "https://nodesecurity.io/advisories/101", "refsource": "MISC", "url": "https://nodesecurity.io/advisories/101"}, {"name": "https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523", "refsource": "MISC", "url": "https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523"}, {"name": "https://github.com/chjj/marked/pull/592", "refsource": "MISC", "url": "https://github.com/chjj/marked/pull/592"}]}}}}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2016-10531", "datePublished": "2018-04-26T00:00:00", "dateReserved": "2017-10-29T00:00:00", "dateUpdated": "2018-05-31T19:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:marked_project:marked:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "BEF40AFF-3F72-4F2A-B903-F1AA12E427E4", "versionEndIncluding": "0.3.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left."}, {"lang": "es", "value": "marked es una aplicaci\u00f3n hecha para analizar y compilar markdown. Debido a la forma en la que marked, en versiones 0.3.5 y anteriores, analiza entradas (espec\u00edficamente, entidades HTML), es posible omitir la protecci\u00f3n de inyecci\u00f3n de contenido de marked (\"sanitize: true\") para inyectar una URL \"javascript:\". Este fallo existe porque \"#xNNanything;\" se analiza hasta donde se puede y olvida el resto, lo que resulta en que \"anything;\" queda suelto."}], "id": "CVE-2016-10531", "lastModified": "2019-10-09T23:16:43.620", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-05-31T20:29:01.033", "references": [{"source": "support@hackerone.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/chjj/marked/pull/592"}, {"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://nodesecurity.io/advisories/101"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "support@hackerone.com", "type": "Secondary"}]}