CVE-2015-1370 — VBScript Content Injection in marked

Description

Versions 0.3.2 and earlier of `marked` are affected by a cross-site scripting vulnerability even when `sanitize:true` is set. ## Proof of Concept ( IE10 Compatibility Mode Only ) `[xss link](vbscript:alert(1))` will get a link `<a href="vbscript:alert(1)">xss link</a>` ## Recommendation Update to version 0.3.3 or later.

How to fix CVE-2015-1370

To remediate CVE-2015-1370, upgrade the affected package to a fixed version below.

Debian/node-marked—upgrade to 0.3.6+dfsg-1 or later
npm/marked—upgrade to 0.3.3 or later

Is CVE-2015-1370 being exploited?

Low — EPSS is 2.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 0.3.6+dfsg-1
from 0, < 0.3.3

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-1370
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2015-1370
PATCHgithub.com/markedjs/marked
WEBgithub.com/chjj/marked/issues/492
WEB