CVE-2016-10531

NameCVE-2016-10531
Descriptionmarked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-marked (PTS)jessie0.3.2+dfsg-1vulnerable
stretch0.3.6+dfsg-1fixed
buster, sid0.5.1+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-markedsource(unstable)0.3.6+dfsg-1unimportant

Notes

https://nodesecurity.io/advisories/101
nodejs not covered by security support

Search for package or bug name: Reporting problems