CVE-2019-9844: Cross-Site Scripting in simple-markdown
6.1
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.58788%
CWE
Published
4/9/2019
Updated
1/9/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
simple-markdown | npm | < 0.4.4 | 0.4.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper URI scheme validation in URL handling. The GitHub pull request #63 specifically shows the fix was implemented in URL sanitization logic to block 'data:' and 'vbscript:' protocols. As XSS occurs through malicious link rendering, the function
responsible for URL validation/sanitization (likely named sanitizeUrl
or similar) would be the vulnerable component. The CVE description explicitly mentions these URI schemes as attack vectors, and the patch version 0.4.4
would have contained the fix for this sanitization logic.