CVE-2018-1000162

Vulnerability

Parsedown versions prior to 1.7.0 contain a Cross-Site Scripting (XSS) vulnerability in the setMarkupEscaped method for escaping HTML. The flaw allows specially crafted markdown to sidestep HTML escaping by breaking AST boundaries, leading to injection of arbitrary JavaScript. The vulnerable versions are all Parsedown releases before 1.7.0 [1].

Exploitation

An attacker can exploit this vulnerability by supplying a specially crafted markdown input that manipulates the abstract syntax tree (AST) boundaries, causing the HTML escaping mechanism (setMarkupEscaped) to be bypassed. The attack requires no special privileges; it can be delivered via any vector where untrusted markdown is processed (e.g., user comments, forum posts). No authentication or special network position is needed if the markdown is rendered on a publicly accessible page [1][2].

Impact

Successful exploitation results in arbitrary JavaScript execution within the context of the victim's browser, leading to Cross-Site Scripting (XSS). This can be used to steal session cookies, deface web pages, redirect users, or perform other malicious actions on behalf of the victim. The attacker gains the ability to execute code with the same permissions as the legitimate user [1][2].

Mitigation

The vulnerability is fixed in Parsedown version 1.7.0 and later [1]. Users should upgrade to Parsedown 1.7.0 or newer. No workaround is mentioned in the references; the setSafeMode(true) method is not directly related, as setMarkupEscaped is described as `WARNING: This method is not safe from XSS!` [3]. Additional defense-in-depth measures such as Content Security Policy (CSP) and HTML sanitizers like HTML Purifier are recommended [3]. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.