CVE-2015-1370 — VBScript Content Injection in marked

Description

Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks via a vbscript tag in a link.

How to fix CVE-2015-1370

To remediate CVE-2015-1370, upgrade the affected package to a fixed version below.

Debian/node-marked—upgrade to 0.3.6+dfsg-1 or later
npm/marked—upgrade to 0.3.3 or later

Is CVE-2015-1370 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 0.3.6+dfsg-1
from 0, < 0.3.3

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-1370
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2015-1370
PATCHgithub.com/markedjs/marked
WEBgithub.com/chjj/marked/issues/492
WEB