CVE-2016-10531

EPSS 1.5%CWE-79

Vexday Risk Score

3Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 1.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

31 May 2018Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left.

Affected products

HackerOne · marked node module

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/chjj/marked/pull/592 https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523 https://nodesecurity.io/advisories/101