{
  "schema_version": "1.4.0",
  "id": "GHSA-p7c9-jqhq-vr3v",
  "modified": "2023-03-01T01:36:36Z",
  "published": "2018-07-27T17:03:46Z",
  "aliases": [
    "CVE-2018-3770"
  ],
  "summary": "Remote Code Execution in markdown-pdf",
  "details": "Versions of `markdown-pdf` prior to 9.0.0 are vulnerable to Remote Code Execution. The package fails to sanitize HTML code in markdown files. If markdown files with malicious HTML are converted to PDF, the resulting PDF file will execute any JavaScript code in the original markdown file. This may allow attackers to execute Remote Code.\n\n\n## Recommendation\n\nUpgrade to version 9.0.0 or later.",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "markdown-pdf"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.0.0"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3770"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/360727"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-p7c9-jqhq-vr3v"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/991"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:48:26Z",
    "nvd_published_at": "2018-07-20T22:29:00Z"
  }
}