GMS-2020-371: HTML Injection in marky-markdown

September 3, 2020 (updated October 4, 2021)

All versions of marky-markdown are vulnerable to HTML Injection due to a validation bypass. The package only allows iframes where the source is youtube.com but it is possible to bypass the validation with sources where youtube.com is the sub-domain, such as youtube.com.evil.co. This This package is no longer maintained. Please upgrade to @npmcorp/marky-markdown

References

github.com/advisories/GHSA-pxmp-fwjc-4x7q
www.npmjs.com/advisories/1471

Detect and mitigate GMS-2020-371 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →