CVE-2022-36036

Published: Aug 29, 2022Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

mdx-mermaid provides plug and play access to Mermaid in MDX. There is a potential for an arbitrary javascript injection in versions less than 1.3.0 and 2.0.0-rc1. Modify any mermaid code blocks with arbitrary code and it will execute when the component is loaded by MDXjs. This vulnerability was patched in version(s) 1.3.0 and 2.0.0-rc2. There are currently no known workarounds.

Affected (2)

Products: Mdx Mermaid Project: Mdx Mermaid

Mdx Mermaid Project

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Mdx Mermaid Project Mdx Mermaid	From 0.0.1 to 1.3.0
Mdx Mermaid Project Mdx Mermaid	Version 2.0.0 rc1

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (4)

https://github.com/sjwall/mdx-mermaid/commit/f2b99386660fd13316823529c3f1314ebbcdfd2a

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/sjwall/mdx-mermaid/security/advisories/GHSA-rvgm-35jw-q628

Source: security-advisories@github.com

ExploitThird Party Advisory

https://github.com/sjwall/mdx-mermaid/commit/f2b99386660fd13316823529c3f1314ebbcdfd2a

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/sjwall/mdx-mermaid/security/advisories/GHSA-rvgm-35jw-q628

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.