GHSA-X52F-H5G4-8QV5

Vulnerability from github – Published: 2024-12-26 18:25 – Updated: 2024-12-26 21:45
VLAI?
Summary
Marp Core allows XSS by improper neutralization of HTML sanitization
Details

Marp Core (@marp-team/marp-core) from v3.0.2 to v3.9.0 and v4.0.0, are vulnerable to cross-site scripting (XSS) due to improper neutralization of HTML sanitization.

Impact

Marp Core includes an HTML sanitizer with allowlist support. In the affected versions, the built-in allowlist is enabled by default. When the allowlist is active, if insufficient HTML comments are included, the sanitizer may fail to properly sanitize HTML content and lead cross-site scripting (XSS).

Patches

Marp Core v3.9.1 and v4.0.1 have been patched to fix that.

Workarounds

If you are unable to update the package immediately, disable all HTML tags by setting html: false option in the Marp class constructor.

const marp = new Marp({ html: false })

References

Credits

Thanks to @Ry0taK for finding out this vulnerability.

Severity ?
5.3 (Medium)
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.9.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@marp-team/marp-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.2"
            },
            {
              "fixed": "3.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@marp-team/marp-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.0.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-56510"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-26T18:25:25Z",
    "nvd_published_at": "2024-12-26T21:15:06Z",
    "severity": "MODERATE"
  },
  "details": "Marp Core ([`@marp-team/marp-core`](https://www.npmjs.com/package/@marp-team/marp-core)) from v3.0.2 to v3.9.0 and v4.0.0, are vulnerable to cross-site scripting (XSS)  due to improper neutralization of HTML sanitization.\n\n### Impact\n\nMarp Core includes an HTML sanitizer with allowlist support. In the affected versions, the built-in allowlist is enabled by default. When the allowlist is active, if insufficient HTML comments are included, the sanitizer may fail to properly sanitize HTML content and lead cross-site scripting (XSS).\n\n### Patches\n\nMarp Core [v3.9.1](https://github.com/marp-team/marp-core/releases/tag/v3.9.1) and [v4.0.1](https://github.com/marp-team/marp-core/releases/tag/v4.0.1) have been patched to fix that.\n\n### Workarounds\n\nIf you are unable to update the package immediately, disable all HTML tags by setting `html: false` option in the `Marp` class constructor.\n\n```javascript\nconst marp = new Marp({ html: false })\n```\n\n### References\n\n- [CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)](https://cwe.mitre.org/data/definitions/79.html)\n- https://github.com/marp-team/marp-core/pull/282\n- https://github.com/marp-team/marp-core/commit/61a1def244d1b6faa8e2c0be97ec0b68cab3ab49\n\n### Credits\n\nThanks to @Ry0taK for finding out this vulnerability.",
  "id": "GHSA-x52f-h5g4-8qv5",
  "modified": "2024-12-26T21:45:58Z",
  "published": "2024-12-26T18:25:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/marp-team/marp-core/security/advisories/GHSA-x52f-h5g4-8qv5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56510"
    },
    {
      "type": "WEB",
      "url": "https://github.com/marp-team/marp-core/pull/282"
    },
    {
      "type": "WEB",
      "url": "https://github.com/marp-team/marp-core/commit/61a1def244d1b6faa8e2c0be97ec0b68cab3ab49"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/marp-team/marp-core"
    },
    {
      "type": "WEB",
      "url": "https://github.com/marp-team/marp-core/releases/tag/v3.9.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/marp-team/marp-core/releases/tag/v4.0.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Marp Core allows XSS by improper neutralization of HTML sanitization"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.