6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-9844

GHSA ID

GHSA-qj3f-9gmq-fwv5

EPSS Score

0.58788%

CWE

CWE-79

Published

4/9/2019

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-9844

CVE-2019-9844: Cross-Site Scripting in simple-markdown

Versions of simple-markdown prior to 0.4.4 are vulnerable to Cross-Site Scripting. Due to insufficient input sanitization the package may render output containing malicious JavaScript. This vulnerability can be exploited through input of links containing data or VBScript URIs and a base64-encoded payload.

Recommendation

Upgrade to version 0.4.4 or later.

(GitHub Advisory)

6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-9844

GHSA ID

GHSA-qj3f-9gmq-fwv5

EPSS Score

0.58788%

CWE

CWE-79

Published

4/9/2019

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
simple-markdown	npm	< 0.4.4	0.4.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper URI scheme validation in URL handling. The GitHub pull request #63 specifically shows the fix was implemented in URL sanitization logic to block 'data:' and 'vbscript:' protocols. As XSS occurs through malicious link rendering, the function responsible for URL validation/sanitization (likely named sanitizeUrl or similar) would be the vulnerable component. The CVE description explicitly mentions these URI schemes as attack vectors, and the patch version 0.4.4 would have contained the fix for this sanitization logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* `simpl*-m*rk*own` prior to *.*.* *r* vuln*r**l* to *ross-Sit* S*riptin*. *u* to insu**i*i*nt input s*nitiz*tion t** p**k*** m*y r*n**r output *ont*inin* m*li*ious J*v*S*ript. T*is vuln*r**ility **n ** *xploit** t*rou** input o* links *ont

Reasoning

T** vuln*r**ility st*ms *rom improp*r URI s***m* v*li**tion in URL **n*lin*. T** *it*u* pull r*qu*st #** sp**i*i**lly s*ows t** *ix w*s impl*m*nt** in URL s*nitiz*tion lo*i* to *lo*k '**t*:' *n* 'v*s*ript:' proto*ols. *s XSS o**urs t*rou** m*li*ious

6.1

Basic Information

Concerned about an active attack path?

CVE-2019-9844: Cross-Site Scripting in simple-markdown

Recommendation

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI