GHSA-phph-xpj4-wvcv

Source

https://github.com/advisories/GHSA-phph-xpj4-wvcv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-phph-xpj4-wvcv/GHSA-phph-xpj4-wvcv.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-phph-xpj4-wvcv

Published

2020-09-03T21:13:07Z

Modified

2021-09-29T18:51:18Z

Summary

Cross-Site Scripting in hexo-admin

Details

All versions of hexo-admin are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize rendered markdown, allowing attackers to execute arbitrary JavaScript in a victim's browser if they are able to create new posts.

Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed_at": "2020-08-31T18:51:09Z",
    "github_reviewed": true,
    "severity": "HIGH",
    "nvd_published_at": null
}

References

Affected packages

npm / hexo-admin

Package

Name: hexo-admin; View open source insights on deps.dev
Purl: pkg:npm/hexo-admin

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-phph-xpj4-wvcv/GHSA-phph-xpj4-wvcv.json"