Replace markdown-it-katex with something else
XeR opened this issue · comments
CTFNote contains a vulnerable dependency (markdown-it-katex
)
# yarn audit
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Cross-Site Scripting │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ markdown-it-katex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ No patch available │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ vue-markdown │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ vue-markdown > markdown-it-katex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1466 │
└───────────────┴──────────────────────────────────────────────────────────────┘
Despite what was originally thought, we are vulnerable to it.
We parse markdown in CTF descriptions and credentials.
Credentials is not a real problem (only admins/captains can edit it)
CTF description means somebody could drop the payload in the description of a CTF on CTFTime.
Thanks to @tastelessctf I could test that this is exploitable (you do not need kyprizel's confirmation to edit a CTF's description)
Here is a screenshot of the vulnerability (104Kb) exploited to print an alert box.
The package is unmaintained. It has to be replaced.
Branch graphql
is not affected (it does not use Vue)
It uses a different database schema. Switching from main
to graphql
will result in data loss
Fixed in v2.0.0
Check MIGRATION.md to upgrade