CVE-2024-28246 in KaTeX情報

要約

〜によって MITRE • 2024年03月25日

KaTeX is a JavaScript library for TeX math rendering on the web. Code that uses KaTeX's `trust` option, specifically that provides a function to blacklist certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generate `javascript:` links in the output, even if the `trust` function tries to forbid this protocol via `trust: (context) => context.protocol !== 'javascript'`. Upgrade to KaTeX v0.16.10 to remove this vulnerability.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

責任者

GitHub, Inc.

予約する

2024年03月07日

モデレーション

承諾済み

エントリ

VDB-257902

EPSS

0.00406

アクティビティ

非常低い

ソース

Do you need the next level of professionalism?

Upgrade your account now!