markdown-to-jsx <7.4.0 XSS Vulnerability Advisory and Fix

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability Name: Cross-site Scripting (XSS) 2. Affected Package: 3. Affected Version Range: 4. Introduction Date: February 20, 2024 5. CVSS Score: 5.3 (Medium) 6. How to Fix: Upgrade to version 7.4.0 or higher. 7. Vulnerability Description: - is a lightweight, customizable React Markdown component. - Affected versions of the package accept malicious input via the attribute, leading to a Cross-site Scripting (XSS) vulnerability. - Attackers can inject malicious elements within markdown to execute arbitrary code. 8. Code Example: 9. Types: - Stored - Reflected - DOM-based - Mutated 10. Affected Environments: - Web servers - Application servers - Web application environments 11. How to Prevent: - Sanitize data inputs in HTTP requests, ensuring all data is validated, filtered, or escaped. - Use HTML or URL encoding for special characters. - Provide users with options to disable client-side scripts. - Redirect invalid requests. - Detect concurrent logins from different IP addresses and invalidate such sessions. - Implement and enforce Content Security Policy (CSP). - Review documentation of any libraries referenced in the code to understand which elements allow embedded HTML. 12. Reference Links: - GitHub Commit This information helps developers understand the nature, scope, and remediation steps for the vulnerability.

Goal Reached Thanks to every supporter — we hit 100%!

markdown-to-jsx <7.4.0 XSS Vulnerability Advisory and Fix