Miggo Logo

CVE-2019-9844: Cross-Site Scripting in simple-markdown

6.1

CVSS Score
3.0

Basic Information

EPSS Score
0.58788%
Published
4/9/2019
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
simple-markdownnpm< 0.4.40.4.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper URI scheme validation in URL handling. The GitHub pull request #63 specifically shows the fix was implemented in URL sanitization logic to block 'data:' and 'vbscript:' protocols. As XSS occurs through malicious link rendering, the function responsible for URL validation/sanitization (likely named sanitizeUrl or similar) would be the vulnerable component. The CVE description explicitly mentions these URI schemes as attack vectors, and the patch version 0.4.4 would have contained the fix for this sanitization logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* `simpl*-m*rk*own` prior to *.*.* *r* vuln*r**l* to *ross-Sit* S*riptin*. *u* to insu**i*i*nt input s*nitiz*tion t** p**k*** m*y r*n**r output *ont*inin* m*li*ious J*v*S*ript. T*is vuln*r**ility **n ** *xploit** t*rou** input o* links *ont

Reasoning

T** vuln*r**ility st*ms *rom improp*r URI s***m* v*li**tion in URL **n*lin*. T** *it*u* pull r*qu*st #** sp**i*i**lly s*ows t** *ix w*s impl*m*nt** in URL s*nitiz*tion lo*i* to *lo*k '**t*:' *n* 'v*s*ript:' proto*ols. *s XSS o**urs t*rou** m*li*ious