Identifier

CVE-2020-7680

Package Slug

npm/docsify

Vulnerability

Cross-site Scripting

Description

docsify is susceptible to Cross-site Scripting (XSS). Docsify.js uses fragment identifiers (parameters after # sign) to load resources from server-side .md files. Due to lack of validation here, it is possible to provide external URLs and render arbitrary JavaScript/HTML inside docsify page.

Affected Versions

All versions before 4.11.4

Solution

Upgrade to version 4.11.4 or above.

Last Modified

2020-07-24

source