GMS-2020-709: Cross-Site Scripting in buttle

September 2, 2020 (updated September 27, 2021)

All versions of buttle are vulnerable to Cross-Site Scripting. Due to misconfiguration of its rendering engine, buttle does not sanitize the HTML output allowing attackers to run arbitrary JavaScript when processing malicious markdown files.

Recommendation

No fix is currently available. Consider using an alternative module until a fix is made available.

References

github.com/advisories/GHSA-pqpp-2363-649v
hackerone.com/reports/404126
www.npmjs.com/advisories/810

Detect and mitigate GMS-2020-709 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →