Cross-Site Scripting in ngx-md
High severity
GitHub Reviewed
Published
Sep 3, 2020
to the GitHub Advisory Database
•
Updated Jan 9, 2023
Description
Reviewed
Aug 31, 2020
Published to the GitHub Advisory Database
Sep 3, 2020
Last updated
Jan 9, 2023
Versions of
ngx-mdprior to 6.0.3 are vulnerable to Cross-Site Scripting. Links are not properly restricted to http/https and can contain JavaScript which may lead to arbitrary code execution. Markdown input such as[Click Me](javascript:alert('Injected!'%29)is rendered as aClick Melink that executes JavaScript.Recommendation
Upgrade to version 6.0.3 or later.
References