GHSA-mq6v-w35g-3c97
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mq6v-w35g-3c97
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-mq6v-w35g-3c97/GHSA-mq6v-w35g-3c97.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-mq6v-w35g-3c97
- Published
- 2024-02-03T00:37:56Z
- Modified
- 2024-05-14T22:01:12Z
- Summary
- Local File Inclusion vulnerability in zmarkdown
- Details
-
Impact
A minor Local File Inclusion vulnerability has been found in
zmarkdown, which allowed for images with a known path on the host machine to be included inside a LaTeX document.To prevent it, a new option has been created that allow to replace invalid paths with a default image instead of linking the image on the host directly.
zmarkdownhas been updated to make this setting the default.Every user of
zmarkdownis likely impacted, except if disabling LaTeX generation or images download. Here is an example of including an image from an invalid path:Will effectively redownload and include the image found at
/tmp/img.png.Patches
The vulnerability has been patched in version 10.1.3. If impacted, you should update to this version as soon as possible.
Workarounds
Disable images downloading, or sanitize paths.
For more information
If you have any questions or comments about this advisory, open an issue in ZMarkdown.
- Database specific
{ "github_reviewed_at": "2024-02-03T00:37:56Z", "cwe_ids": [], "nvd_published_at": null, "severity": "LOW", "github_reviewed": true }- References
Affected packages
npm / zmarkdown
Package
- Name
- zmarkdown
- View open source insights on deps.dev
- Purl
- pkg:npm/zmarkdown