CVE-2020-28455: markdown-it-toc Cross-site Scripting due to title of generated toc and contents of header not being escaped
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.25629%
CWE
Published
7/26/2022
Updated
1/27/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
markdown-it-toc | npm | <= 1.1.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from two unescaped outputs: 1) The user-controllable TOC title specified in @toc syntax, and 2) Header text used in anchor links. In markdown-it plugin architecture, these would be handled by the TOC rendering function and header parsing logic respectively. Without proper HTML entity escaping (e.g., using markdown-it's built-in escapeHtml utility), user input flows directly into HTML output. The high confidence comes from the vulnerability description explicitly identifying these two injection points and the package's failure to implement standard XSS protections in these contexts.