CPE Details
marked Project marked 0.2.4 for Node.js
0.2.4
2019-09-23
16h07 +00:00
16h07 +00:00
2019-09-23
16h07 +00:00
16h07 +00:00
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
CPE Name: cpe:2.3:a:marked_project:marked:0.2.4:*:*:*:*:node.js:*:*
Informations
Vendor
marked_projectProduct
markedVersion
0.2.4Target Software
node.jsRelated CVE
| CVE ID | Published | Description | Score | Severity |
|---|---|---|---|---|
23h00 +00:00 |
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources. | 7.5 |
High |
|
23h00 +00:00 |
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources. | 7.5 |
High |
|
18h41 +00:00 |
Multiple cross-site scripting (XSS) vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) gfm codeblocks (language) or (2) javascript url's. | 6.1 |
Medium |
|
02h00 +00:00 |
The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds. | 7.5 |
High |
|
20h00 +00:00 |
marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left. | 6.1 |
Medium |
|
22h00 +00:00 |
marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser. | 6.1 |
Medium |
|
20h00 +00:00 |
The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial of service (ReDoS)." | 7.5 |
High |
|
17h00 +00:00 |
Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks via a vbscript tag in a link. | 4.3 |
2025©
tesweb SA
