Clipboard-based DOM-XSS

CVE-2021-37700

6.5MEDIUM

Key Information

Vendor: Github
Status: Paste-markdown
Vendor: CVE Published:; 12 August 2021

Summary

@github/paste-markdown is an npm package for pasting markdown objects. A self Cross-Site Scripting vulnerability exists in the @github/paste-markdown before version 0.3.4. If the clipboard data contains the string `<table>`, a **div** is dynamically created, and the clipboard content is copied into its **innerHTML** property without any sanitization, resulting in improper execution of JavaScript in the browser of the victim (the user who pasted the code). Users directed to copy text from a malicious website and paste it into pages that utilize this library are affected. This is fixed in version 0.3.4. Refer the to the referenced GitHub Advisory for more details including an example exploit.

Affected Version(s)

paste-markdown = < 0.3.4

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Risk change from: 6.1 to: 6.5 - (MEDIUM)
Feb 22, 2024
Vulnerability published.
Aug 12, 2021
Vulnerability Reserved.
Jul 29, 2021

Collectors

NVD DatabaseMitre Database