Miggo Logo

CVE-2020-28455: markdown-it-toc Cross-site Scripting due to title of generated toc and contents of header not being escaped

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.25629%
Published
7/26/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
markdown-it-tocnpm<= 1.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two unescaped outputs: 1) The user-controllable TOC title specified in @toc syntax, and 2) Header text used in anchor links. In markdown-it plugin architecture, these would be handled by the TOC rendering function and header parsing logic respectively. Without proper HTML entity escaping (e.g., using markdown-it's built-in escapeHtml utility), user input flows directly into HTML output. The high confidence comes from the vulnerability description explicitly identifying these two injection points and the package's failure to implement standard XSS protections in these contexts.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts *ll v*rsions o* p**k*** m*rk*own-it-to*. T** titl* o* t** **n*r*t** to* *n* t** *ont*nts o* t** *****r *r* not *s**p**.

Reasoning

T** vuln*r**ility st*ms *rom two un*s**p** outputs: *) T** us*r-*ontroll**l* TO* titl* sp**i*i** in @[to*](titl*_**r*) synt*x, *n* *) *****r t*xt us** in *n**or links. In m*rk*own-it plu*in *r**it**tur*, t**s* woul* ** **n*l** *y t** TO* r*n**rin* *u