CVE-2015-1370
EPSS 0.35%VBScript Content Injection in marked
Published: 10/24/2017Modified: 4/28/2026
Description
Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks via a vbscript tag in a link.
Affected packages (2)
- Debian/node-markedfrom 0, < 0.3.6+dfsg-1
- npm/markedfrom 0, < 0.3.3
References (10)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2015-1370
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2015-1370
- PATCHhttps://github.com/markedjs/marked
- WEBhttps://github.com/chjj/marked/issues/492
- WEBhttps://github.com/evilpacket/marked/commit/3c191144939107c45a7fa11ab6cb88be6694a1ba
- WEBhttps://github.com/markedjs/marked/commit/fc372d1c6293267722e33f2719d57cebd67b3da1
- WEBhttps://github.com/markedjs/marked/issues/492
- WEBhttps://www.npmjs.com/advisories/24
- WEBhttps://www.npmjs.com/advisories/24/versions
- WEBhttp://www.openwall.com/lists/oss-security/2015/01/23/2