diff --git a/advisories/github-reviewed/2024/12/GHSA-x52f-h5g4-8qv5/GHSA-x52f-h5g4-8qv5.json b/advisories/github-reviewed/2024/12/GHSA-x52f-h5g4-8qv5/GHSA-x52f-h5g4-8qv5.json index fa99084627df7..8cbfbfe45122a 100644 --- a/advisories/github-reviewed/2024/12/GHSA-x52f-h5g4-8qv5/GHSA-x52f-h5g4-8qv5.json +++ b/advisories/github-reviewed/2024/12/GHSA-x52f-h5g4-8qv5/GHSA-x52f-h5g4-8qv5.json @@ -1,9 +1,11 @@ { "schema_version": "1.4.0", "id": "GHSA-x52f-h5g4-8qv5", - "modified": "2024-12-26T18:25:25Z", + "modified": "2024-12-26T20:37:38Z", "published": "2024-12-26T18:25:25Z", - "aliases": [], + "aliases": [ + "CVE-2024-56510" + ], "summary": "Marp Core allows XSS by improper neutralization of HTML sanitization", "details": "Marp Core ([`@marp-team/marp-core`](https://www.npmjs.com/package/@marp-team/marp-core)) from v3.0.2 to v3.9.0 and v4.0.0, are vulnerable to cross-site scripting (XSS) due to improper neutralization of HTML sanitization.\n\n### Impact\n\nMarp Core includes an HTML sanitizer with allowlist support. In the affected versions, the built-in allowlist is enabled by default. When the allowlist is active, if insufficient HTML comments are included, the sanitizer may fail to properly sanitize HTML content and lead cross-site scripting (XSS).\n\n### Patches\n\nMarp Core [v3.9.1](https://github.com/marp-team/marp-core/releases/tag/v3.9.1) and [v4.0.1](https://github.com/marp-team/marp-core/releases/tag/v4.0.1) have been patched to fix that.\n\n### Workarounds\n\nIf you are unable to update the package immediately, disable all HTML tags by setting `html: false` option in the `Marp` class constructor.\n\n```javascript\nconst marp = new Marp({ html: false })\n```\n\n### References\n\n- [CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')](https://cwe.mitre.org/data/definitions/79.html)\n- https://github.com/marp-team/marp-core/pull/282\n- https://github.com/marp-team/marp-core/commit/61a1def244d1b6faa8e2c0be97ec0b68cab3ab49\n\n### Credits\n\nThanks to @Ry0taK for finding out this vulnerability.", "severity": [