CVE-2015-1370

EPSS 0.35%

VBScript Content Injection in marked

發布日:2017/10/24修改日:2026/4/28

描述

Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks via a vbscript tag in a link.

受影響套件(2)

Debian/node-markedfrom 0, < 0.3.6+dfsg-1
npm/markedfrom 0, < 0.3.3

參考連結(10)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2015-1370
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2015-1370
PATCHhttps://github.com/markedjs/marked
WEBhttps://github.com/chjj/marked/issues/492
WEBhttps://github.com/evilpacket/marked/commit/3c191144939107c45a7fa11ab6cb88be6694a1ba
WEBhttps://github.com/markedjs/marked/commit/fc372d1c6293267722e33f2719d57cebd67b3da1
WEBhttps://github.com/markedjs/marked/issues/492
WEBhttps://www.npmjs.com/advisories/24
WEBhttps://www.npmjs.com/advisories/24/versions
WEBhttp://www.openwall.com/lists/oss-security/2015/01/23/2