脆弱性情報
高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
脆弱性タイトル
Unsanitized URL schemes in MDEx Quill Delta output allow javascript: injection (XSS)
脆弱性説明
Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output. 'Elixir.MDEx':to_delta/2 converts Markdown into a Quill Delta. 'Elixir.MDEx.DeltaConverter':default_convert_node/3 in lib/mdex/delta_converter.ex copies the URL of a link, wikilink, or image node directly from the parsed Markdown into the Delta "link" or "image" attribute without applying a scheme allowlist or any normalization. An attacker who controls the Markdown text can supply a javascript: URL (for example [click](javascript:alert(document.cookie))) that survives verbatim into the Delta attribute. When the Delta is rendered to HTML by a downstream renderer (such as quill-delta-to-html or the Quill client), the attribute becomes an <a href> or <img src>, and the javascript: scheme executes in the browser of anyone who views the rendered content. The link and wikilink cases are the strongest vectors because javascript: in an href executes on click; the image case is lower impact because javascript: in <img src> generally does not execute in modern browsers. This issue affects mdex: from 0.8.3 before 0.13.2.
CVSS情報
N/A
脆弱性タイプ
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
脆弱性タイトル
leandrocp mdex 跨站脚本漏洞
脆弱性説明
leandrocp mdex是加拿大leandrocp个人开发者的一个依赖解析工具。 leandrocp mdex 0.8.3版本至0.13.2之前版本存在跨站脚本漏洞,该漏洞源于对输入中和不当,导致未清理的URL方案可能引起跨站脚本攻击。
CVSS情報
N/A
脆弱性タイプ
N/A