CVE-2015-1370

Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks via a vbscript tag in a link.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 56%
VendorProductVersion
marked_projectmarked
𝑥
≤ 0.3.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
node-marked
bullseye
0.8.0+ds+repack-2
fixed
bookworm
4.2.3+ds+~4.0.7-2
fixed
sid
4.2.3+ds+~4.0.7-3
fixed
trixie
4.2.3+ds+~4.0.7-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
node-marked
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
not-affected
focal
not-affected
eoan
not-affected
disco
not-affected
cosmic
not-affected
bionic
not-affected
artful
ignored
zesty
ignored
yakkety
ignored
xenial
needed
wily
ignored
vivid
ignored
utopic
ignored
trusty
dne
precise
dne
lucid
dne
References
http://www.openwall.com/lists/oss-security/2015/01/23/2
https://github.com/chjj/marked/issues/492
https://github.com/evilpacket/marked/commit/3c191144939107c45a7fa11ab6cb88be6694a1ba
https://nodesecurity.io/advisories/marked_vbscript_injection
http://www.openwall.com/lists/oss-security/2015/01/23/2
https://github.com/chjj/marked/issues/492
https://github.com/evilpacket/marked/commit/3c191144939107c45a7fa11ab6cb88be6694a1ba
https://nodesecurity.io/advisories/marked_vbscript_injection