CVE-2021-33041: Cross-site Scripting in vmd
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.57376%
CWE
Published
2/10/2022
Updated
9/11/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
vmd | npm | <= 1.34.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from unsanitized HTML injection in the markdown rendering process. Key evidence includes:
- The PoC demonstrates XSS via <img> and <a> tags with event handlers executing Node.js code
- Electron's
nodeIntegration
likely enabled, allowing renderer process access torequire('child_process')
- The 'markdown-body' div is explicitly called out as the injection point
- Lack of sanitization matches the CWE-79 XSS pattern While the exact function name isn't specified in available data, the rendering mechanism's insecure implementation is clearly the root cause.