6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-7773

GHSA ID

GHSA-f246-xrrj-g8j6

EPSS Score

0.57941%

CWE

CWE-79

Published

2/10/2022

Updated

9/5/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-7773

CVE-2020-7773:
Cross-site Scripting in markdown-it-highlightjs

This affects the package markdown-it-highlightjs before 3.3.1. It is possible insert malicious JavaScript as a value of lang in the markdown-it-highlightjs Inline code highlighting feature.

const markdownItHighlightjs = require("markdown-it-highlightjs");
const md = require('markdown-it'); 
const reuslt_xss = md().use(markdownItHighlightjs, { inline: true }).render('console.log(42){.">js}'); 
console.log(reuslt_xss);

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-7773

GHSA ID

GHSA-f246-xrrj-g8j6

EPSS Score

0.57941%

CWE

CWE-79

Published

2/10/2022

Updated

9/5/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
markdown-it-highlightjs	npm	< 3.3.1	3.3.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the inline code rendering logic where user-controlled lang parameters were insufficiently sanitized. The patch modifies the regex in inlineCodeRenderer to exclude dangerous characters, proving this was the injection point. This function directly processes the vulnerable lang attribute from markdown input and would appear in stack traces when processing malicious payloads.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts t** p**k*** m*rk*own-it-*i**li**tjs ***or* *.*.*. It is possi*l* ins*rt m*li*ious J*v*S*ript *s * v*lu* o* l*n* in t** m*rk*own-it-*i**li**tjs Inlin* *o** *i**li**tin* ***tur*. ```js *onst m*rk*ownIt*i**li**tjs = r*quir*("m*rk*own-it-*

Reasoning

T** vuln*r**ility *xists in t** inlin* *o** r*n**rin* lo*i* w**r* us*r-*ontroll** l*n* p*r*m*t*rs w*r* insu**i*i*ntly s*nitiz**. T** p*t** mo*i*i*s t** r***x in `inlin**o**R*n**r*r` to *x*lu** **n**rous ***r**t*rs, provin* t*is w*s t** inj**tion poin

6.1

Basic Information

Concerned about an active attack path?

CVE-2020-7773: Cross-site Scripting in markdown-it-highlightjs

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2020-7773:
Cross-site Scripting in markdown-it-highlightjs

Vulnerability Intelligence
Miggo AI