CVE-2016-10531 - OpenCVE

marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Marked Project	Marked

Configuration 1 [-]

cpe:2.3:a:marked_project:marked:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/chjj/marked/pull/592
https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523
https://nodesecurity.io/advisories/101

History

No history.

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2018-05-31T20:00:00Z

Updated: 2024-09-17T04:28:55.235Z

Reserved: 2017-10-29T00:00:00

Link: CVE-2016-10531

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-05-31T20:29:01.033

Modified: 2019-10-09T23:16:43.620

Link: CVE-2016-10531

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "marked node module", "vendor": "HackerOne", "versions": [{"status": "affected", "version": "<=0.3.5"}]}], "datePublic": "2018-04-26T00:00:00", "descriptions": [{"lang": "en", "value": "marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Cross-site Scripting (XSS) - Generic (CWE-79)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-05-31T19:57:01", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://nodesecurity.io/advisories/101"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/chjj/marked/pull/592"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "DATE_PUBLIC": "2018-04-26T00:00:00", "ID": "CVE-2016-10531", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "marked node module", "version": {"version_data": [{"version_value": "<=0.3.5"}]}}]}, "vendor_name": "HackerOne"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross-site Scripting (XSS) - Generic (CWE-79)"}]}]}, "references": {"reference_data": [{"name": "https://nodesecurity.io/advisories/101", "refsource": "MISC", "url": "https://nodesecurity.io/advisories/101"}, {"name": "https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523", "refsource": "MISC", "url": "https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523"}, {"name": "https://github.com/chjj/marked/pull/592", "refsource": "MISC", "url": "https://github.com/chjj/marked/pull/592"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T03:21:52.151Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://nodesecurity.io/advisories/101"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/chjj/marked/pull/592"}]}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2016-10531", "datePublished": "2018-05-31T20:00:00Z", "dateReserved": "2017-10-29T00:00:00", "dateUpdated": "2024-09-17T04:28:55.235Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:marked_project:marked:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "BEF40AFF-3F72-4F2A-B903-F1AA12E427E4", "versionEndIncluding": "0.3.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left."}, {"lang": "es", "value": "marked es una aplicaci\u00f3n hecha para analizar y compilar markdown. Debido a la forma en la que marked, en versiones 0.3.5 y anteriores, analiza entradas (espec\u00edficamente, entidades HTML), es posible omitir la protecci\u00f3n de inyecci\u00f3n de contenido de marked (\"sanitize: true\") para inyectar una URL \"javascript:\". Este fallo existe porque \"#xNNanything;\" se analiza hasta donde se puede y olvida el resto, lo que resulta en que \"anything;\" queda suelto."}], "id": "CVE-2016-10531", "lastModified": "2019-10-09T23:16:43.620", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-05-31T20:29:01.033", "references": [{"source": "support@hackerone.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/chjj/marked/pull/592"}, {"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://nodesecurity.io/advisories/101"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "support@hackerone.com", "type": "Secondary"}]}