Home > Vulnerability Database > CVE-2016-10531

Mend.io Vulnerability Database

CVE-2016-10531

Good to know:

Date: April 25, 2018

marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left.

Language: Java

Severity Score

6.1

Related Resources (7)

Url: https://github.com/chjj/marked/pull/592

Url: https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523

Url: https://nodesecurity.io/advisories/101

Url: https://security-tracker.debian.org/tracker/CVE-2016-10531

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2016-10531

Url: https://nvd.nist.gov/vuln/detail/CVE-2016-10531

Url: https://www.mend.io/vulnerability-database/CVE-2016-10531

Severity Score

6.1

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Top Fix

Upgrade Version

Upgrade to version 0.3.6

Learn More

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

CVSS v2

Base Score:	4.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2016-10531

Good to know:

Date: April 25, 2018

Language: Java

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?