CVE-2018-19057: SimpleMDE XSS Vulnerability
6.1
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.45059%
CWE
Published
11/21/2018
Updated
9/7/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
simplemde | npm | <= 1.11.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability description explicitly mentions XSS via IMG onerror attributes and A element mishandling. In Markdown editors, image and link rendering functions are typically responsible for converting markdown syntax to HTML elements. The functions inlineRenderer.image
and inlineRenderer.link
would directly handle these conversions. The lack of input sanitization in these specific functions would allow injection of malicious attributes (for images) and unsafe URL schemes (for links), matching the described attack vectors. The confidence is high as these are the primary functions responsible for the vulnerable HTML element construction mentioned in the advisory.