npm package
docsify
pkg:npm/docsify
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-30074 | — | < 4.12.2 | 4.12.2 | Apr 2, 2021 | docsify 4.12.1 is affected by Cross Site Scripting (XSS) because the search component does not appropriately encode Code Blocks and mishandles the " character. | ||
| CVE-2021-23342 | — | < 4.12.0 | 4.12.0 | Feb 19, 2021 | This affects the package docsify before 4.12.0. It is possible to bypass the remediation done by CVE-2020-7680 and execute malicious JavaScript through the following methods 1) When parsing HTML from remote URLs, the HTML code on the main page is sanitized, but this sanitization | ||
| CVE-2020-7680 | — | < 4.11.4 | 4.11.4 | Jul 20, 2020 | docsify prior to 4.11.4 is susceptible to Cross-site Scripting (XSS). Docsify.js uses fragment identifiers (parameters after # sign) to load resources from server-side .md files. Due to lack of validation here, it is possible to provide external URLs after the /#/ (domain.com/#// |
- CVE-2021-30074Apr 2, 2021affected < 4.12.2fixed 4.12.2
docsify 4.12.1 is affected by Cross Site Scripting (XSS) because the search component does not appropriately encode Code Blocks and mishandles the " character.
- CVE-2021-23342Feb 19, 2021affected < 4.12.0fixed 4.12.0
This affects the package docsify before 4.12.0. It is possible to bypass the remediation done by CVE-2020-7680 and execute malicious JavaScript through the following methods 1) When parsing HTML from remote URLs, the HTML code on the main page is sanitized, but this sanitization
- CVE-2020-7680Jul 20, 2020affected < 4.11.4fixed 4.11.4
docsify prior to 4.11.4 is susceptible to Cross-site Scripting (XSS). Docsify.js uses fragment identifiers (parameters after # sign) to load resources from server-side .md files. Due to lack of validation here, it is possible to provide external URLs after the /#/ (domain.com/#//