CVE-2020-7680: Cross-site Scripting

July 20, 2020 (updated February 24, 2021)

docsify is susceptible to Cross-site Scripting (XSS). Docsify.js uses fragment identifiers (parameters after # sign) to load resources from server-side .md files. Due to lack of validation here, it is possible to provide external URLs and render arbitrary JavaScript/HTML inside docsify page.

References

packetstormsecurity.com/files/158515/Docsify.js-4.11.4-Cross-Site-Scripting.html
nvd.nist.gov/vuln/detail/CVE-2020-7680

Detect and mitigate CVE-2020-7680 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →