GHSA-3c48-6pcv-88rm

Suggest an improvement
Source
https://github.com/advisories/GHSA-3c48-6pcv-88rm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-3c48-6pcv-88rm/GHSA-3c48-6pcv-88rm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3c48-6pcv-88rm
Aliases
Published
2018-07-27T17:05:27Z
Modified
2023-11-08T04:00:09.670565Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Macro in MathJax running untrusted Javascript within a web browser
Details

MathJax version prior to version 2.7.4 contains a Cross Site Scripting (XSS) vulnerability in the \unicode{} macro that can result in Potentially untrusted Javascript running within a web browser. This attack appear to be exploitable via The victim must view a page where untrusted content is processed using Mathjax. This vulnerability appears to have been fixed in 2.7.4 and later.

Database specific 
{
    "nvd_published_at": null,
    "severity": "MODERATE",
    "github_reviewed_at": "2020-06-16T20:54:43Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

npm / mathjax

Package

Name
mathjax
View open source insights on deps.dev
Purl
pkg:npm/mathjax

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.7.4