GMS-2020-369: Cross-Site Scripting in markdown-to-jsx

September 3, 2020 (updated September 29, 2021)

Versions of markdown-to-jsx are vulnerable to Cross-Site Scripting. Due to insufficient input sanitization the package may render output containing malicious JavaScript. This vulnerability can be exploited through input of links containing data or VBScript URIs and a base64-encoded payload. Upgrade to or later.

References

github.com/advisories/GHSA-ccrp-c664-8p4j
github.com/probablyup/markdown-to-jsx/pull/307
www.npmjs.com/advisories/1219

Detect and mitigate GMS-2020-369 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →