CVE-2016-10531 — Sanitization bypass using HTML Entities in marked

Description

marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left.

How to fix CVE-2016-10531

To remediate CVE-2016-10531, upgrade the affected package to a fixed version below.

—upgrade to 0.3.6+dfsg-1 or later
—upgrade to 0.3.6 or later

Is CVE-2016-10531 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 0.3.6+dfsg-1
from 0, < 0.3.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (6)

ADVISORYgithub.com/advisories/GHSA-vfvf-mqq8-rwqc
ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-10531
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2016-10531
WEBgithub.com/chjj/marked/pull/592
WEB