CVE-2016-10531 Vulnerability Details

  /     /     /  

CVE-2016-10531 Metadata Quick Info

CVE Published: 31/05/2018 | CVE Updated: 17/09/2024 | CVE Year: 2016
Source: hackerone | Vendor: HackerOne | Product: marked node module
Status : PUBLISHED

CVE-2016-10531 Description

marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it\'s possible to bypass marked\'s content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left.

Metrics

CVSS Version: 3.1 | Base Score: n/a
Vector: n/a

l➤ Exploitability Metrics:
    Attack Vector (AV)*
    Attack Complexity (AC)*
    Privileges Required (PR)*
    User Interaction (UI)*
    Scope (S)*

l➤ Impact Metrics:
    Confidentiality Impact (C)*
    Integrity Impact (I)*
    Availability Impact (A)*

Weakness Enumeration (CWE)

CWE-ID: CWE-79
CWE Name: Cross-site Scripting (XSS) - Generic (CWE-79)
Source: HackerOne

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description: