CVE-2015-1370: VBScript Content Injection

January 27, 2015 (updated January 28, 2015)

Marked is vulnerable to content injection even when sanitize: true is enabled. [xss link](vbscript:alert(1)) will get a link <a href="vbscript:alert(1)">xss link</a> this script does not work in IE edge mode, but works in IE compatibility view.

References

github.com/chjj/marked/issues/492

Detect and mitigate CVE-2015-1370 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →