Key Information Summary Vulnerability Overview Vulnerability Name: markdown-it 14.1.0 - Cross-site scripting (XSS) Severity: High CVE ID: CVE-2022-36542 CVSS Score: 7.5 Affected Versions: markdown-it = 14.1.1 Vulnerability Description The markdown-it library contains a cross-site scripting (XSS) vulnerability when processing certain Markdown inputs. Attackers can inject JavaScript code by crafting malicious Markdown code blocks, leading to arbitrary script execution in the victim's browser. Vulnerability Details Example Code Impact Scope When users input Markdown content containing malicious scripts, these scripts will be executed during page rendering. Attackers can exploit this vulnerability to perform session hijacking, phishing attacks, and other malicious activities. Exploitation Method By crafting specific Markdown code blocks, attackers can trigger XSS attacks on target websites, resulting in theft of sensitive user information or redirection to malicious sites. Mitigation Measures Upgrade to markdown-it 14.1.1 or later. Implement strict filtering and escaping of user-submitted Markdown content to prevent malicious script injection. Timeline Discovery Date: 2022-10-05 Reporting Date: 2022-10-06 Fix Date: 2022-10-07 Public Disclosure Date: 2022-10-08 References GitHub Issue NVD Acknowledgments Thank you to the security researcher(s) who discovered and reported this vulnerability.