CVE-2018-3770 — Remote Code Execution in markdown-pdf

Description

Versions of `markdown-pdf` prior to 9.0.0 are vulnerable to Remote Code Execution. The package fails to sanitize HTML code in markdown files. If markdown files with malicious HTML are converted to PDF, the resulting PDF file will execute any JavaScript code in the original markdown file. This may allow attackers to execute Remote Code. ## Recommendation Upgrade to version 9.0.0 or later.

How to fix CVE-2018-3770

To remediate CVE-2018-3770, upgrade the affected package to a fixed version below.

—upgrade to 9.0.0 or later

Is CVE-2018-3770 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 9.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (4)

ADVISORYgithub.com/advisories/GHSA-p7c9-jqhq-vr3v
ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-3770
WEBhackerone.com/reports/360727
WEBwww.npmjs.com/advisories/991