CVE-2014-3743
Publication date 6 January 2020
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
Multiple cross-site scripting (XSS) vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) gfm codeblocks (language) or (2) javascript url’s. sanitize: true Even if this option is set, marked is vulnerable to content injection in multiple locations if untrusted user input is allowed to be provided into marked and that output is passed to the browser. Injection is possible in two locations * gfm codeblocks (language) * javascript url’s
Status
Package | Ubuntu Release | Status |
---|---|---|
node-marked | 18.04 LTS bionic |
Not affected
|
16.04 LTS xenial |
Not affected
|
|
14.04 LTS trusty | Not in release | |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.1 · Medium |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Changed |
Confidentiality | Low |
Integrity impact | Low |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |