Miggo Logo

CVE-2016-10531: Sanitization bypass using HTML Entities in marked

6.1

CVSS Score
3.0

Basic Information

EPSS Score
0.52016%
Published
2/18/2019
Updated
9/7/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
markednpm< 0.3.60.3.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how marked's unescape function processed HTML entities in link URIs. The original regex matched entities on a best-effort basis, failing to properly validate semicolon termination and entity syntax. This allowed attackers to craft URIs where HTML entities decode to 'javascript:' after sanitization checks, but before final rendering. The commit 2cff859 explicitly tightens the entity regex pattern to prevent this bypass.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `m*rk**` *r* sus**pti*l* to * *ross-sit* s*riptin* vuln*r**ility in link *ompon*nts w**n `s*nitiz*:tru*` is *on*i*ur**. ## Proo* o* *on**pt T*is *l*w *xists ****us* link URIs *ont*inin* *TML *ntiti*s **t pro**ss** in *n **norm

Reasoning

T** vuln*r**ility st*ms *rom *ow m*rk**'s un*s**p* `*un*tion` pro**ss** *TML *ntiti*s in link URIs. T** ori*in*l `r***x` m*t**** *ntiti*s on * **st-***ort **sis, **ilin* to prop*rly `v*li**t*` s*mi*olon t*rmin*tion *n* *ntity synt*x. T*is *llow** *tt