CVE-2021-30074 — Docsify vulnerable to cross-site scripting due to mishandled encoding

Description

docsify versions 4.12.1 and earlier are vulnerable to cross-site scripting (XSS) because the search component does not appropriately encode Code Blocks and mishandles the `"` character.

How to fix CVE-2021-30074

To remediate CVE-2021-30074, upgrade the affected package to a fixed version below.

npm/docsify—upgrade to 4.12.2 or later

Is CVE-2021-30074 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 4.12.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-30074
PATCHgithub.com/docsifyjs/docsify
WEBgithub.com/docsifyjs/docsify/commit/c24f7f6f0b87a87f6dd3755f69eb0969ebb029c9
WEBgithub.com/docsifyjs/docsify/issues/1549
WEB