CVE-2016-10531

NameCVE-2016-10531
Descriptionmarked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-marked (PTS)jessie0.3.2+dfsg-1vulnerable
stretch0.3.6+dfsg-1fixed
buster0.5.1+dfsg-1fixed
bullseye0.8.0+ds+repack-2fixed
bookworm4.2.3+ds+~4.0.7-2fixed
sid, trixie4.2.3+ds+~4.0.7-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-markedsource(unstable)0.3.6+dfsg-1unimportant

Notes

https://nodesecurity.io/advisories/101
nodejs not covered by security support

Search for package or bug name: Reporting problems