CVE-2023-0835: markdown-pdf vulnerable to local file read via server side cross-site scripting (XSS)

April 4, 2023 (updated April 13, 2023)

markdown-pdf version 11.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the Markdown content entered by the user.

References

fluidattacks.com/advisories/relsb/
github.com/advisories/GHSA-qghr-877h-f9jh
nvd.nist.gov/vuln/detail/CVE-2023-0835
www.npmjs.com/package/markdown-pdf/

Detect and mitigate CVE-2023-0835 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →