This affects the package markdown-it-highlightjs before 3.3.1. It is possible insert malicious JavaScript as a value of lang in the markdown-it-highlightjs Inline code highlighting feature. const markdownItHighlightjs = require("markdown-it-highlightjs"); const md = require('markdown-it'); const reuslt_xss = md() .use(markdownItHighlightjs, { inline: true }) .render('console.log(42){.">js}'); console.log(reuslt_xss);
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: snyk

Published: 2020-11-16T00:00:00

Updated: 2020-11-16T12:00:24

Reserved: 2020-01-21T00:00:00


Link: CVE-2020-7773

JSON object: View

cve-icon NVD Information

Status : Analyzed

Published: 2020-11-16T12:15:14.463

Modified: 2020-12-01T13:23:29.497


Link: CVE-2020-7773

JSON object: View

cve-icon Redhat Information

No data.

CWE