WS-2019-0026 (Medium) detected in marked-0.3.19.js
mend-bolt-for-github opened this issue · comments
WS-2019-0026 - Medium Severity Vulnerability
Vulnerable Library - marked-0.3.19.js
A markdown parser built for speed
Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.3.19/marked.js
Path to dependency file: TinyURL-Node.js/node_modules/marked/www/demo.html
Path to vulnerable library: TinyURL-Node.js/node_modules/marked/www/../lib/marked.js
Dependency Hierarchy:
- ❌ marked-0.3.19.js (Vulnerable Library)
Found in HEAD commit: 246f78657477824a6b5a35dcd0706571d25a6eb7
Found in base branch: master
Vulnerability Details
Versions 0.3.7 and earlier of marked unescape only lowercase while owsers support both lowercase and uppercase x in hexadecimal form of HTML character entity
Publish Date: 2017-12-23
URL: WS-2019-0026
Suggested Fix
Type: Upgrade version
Origin: markedjs/marked@6d1901f
Release Date: 2019-03-17
Fix Resolution: 0.3.9
Step up your Open Source Security Game with WhiteSource here