CVE-2022-25849: HyperDown vulnerable to Cross-site Scripting

October 26, 2022

The package joyqi/hyper-down from 0.0.0 is vulnerable to Cross-site Scripting (XSS) because the module of parse markdown does not filter the href attribute very well.

References

github.com/advisories/GHSA-4r9g-w48q-8jwm
nvd.nist.gov/vuln/detail/CVE-2022-25849
security.snyk.io/vuln/SNYK-PHP-JOYQIHYPERDOWN-2953544

Detect and mitigate CVE-2022-25849 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →