Skip to content

Cross-Site Scripting in ngx-md

High severity GitHub Reviewed Published Sep 3, 2020 • Updated Oct 4, 2021

Package

npm ngx-md (npm)

Affected versions

< 6.0.3

Patched versions

6.0.3

Description

Versions of ngx-md prior to 6.0.3 are vulnerable to Cross-Site Scripting. Links are not properly restricted to http/https and can contain JavaScript which may lead to arbitrary code execution. Markdown input such as [Click Me](javascript:alert('Injected!'%29) is rendered as a Click Me link that executes JavaScript.

Recommendation

Upgrade to version 6.0.3 or later.

References

Severity

High

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-xr53-m937-jr9c

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.