{
  "schema_version": "1.4.0",
  "id": "GHSA-gpfj-4j6g-c4w9",
  "modified": "2021-08-30T23:16:08Z",
  "published": "2021-08-12T20:42:17Z",
  "aliases": [
    "CVE-2021-37700"
  ],
  "summary": "Clipboard-based DOM-XSS",
  "details": "### Impact\n\nA self Cross-Site Scripting vulnerability exists in the @github/paste-markdown library. If the clipboard data contains the string `<table>`, a **div** is dynamically created, and the clipboard content is copied into its **innerHTML** property without any sanitization, resulting in improper execution of JavaScript in the browser of the victim (the user who pasted the code). Users directed to copy text from a malicious website and paste it into pages that utilize this library are affected.\n\nThe following @github/paste-markdown code snippet is triggered when the user pastes something and the browser's clipboard data contains an entry whose content-type is **text/HTML**.\n\n```typescript\nfunction generateText(transfer: DataTransfer): string | undefined {\n  if (Array.from(transfer.types).indexOf('text/html') === -1) return\n\n  let html = transfer.getData('text/html')\n  if (!/<table/i.test(html)) return\n\n  html = html.replace(/<meta.*?>/, '')\n\n  const el = document.createElement('div')\n  el.innerHTML = html\n  const tables = el.querySelectorAll('table')\n\n  for (const table of tables) {\n    if (table.closest('[data-paste-markdown-skip]')) {\n      table.replaceWith(new Text(table.textContent || ''))\n    }\n    const formattedTable = tableMarkdown(table)\n    table.replaceWith(new Text(formattedTable))\n  }\n\n  return el.innerHTML\n}\n```\n\n### Patches\nA security patch was released in [version 0.3.4](https://github.com/github/paste-markdown/releases/tag/v0.3.4).\n\n### Workarounds\nA Content Security Policy that prevents `unsafe-inline` helps reduce the likelihood of this vulnerability being exploited in modern browsers.\n\n<!--\n### References\n_Are there any links users can visit to find out more?_\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [example link to repo](http://example.com)\n* Email us at [example email address](mailto:example@example.com)\n*\n-->\n",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@github/paste-markdown"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.4"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/github/paste-markdown/security/advisories/GHSA-gpfj-4j6g-c4w9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37700"
    },
    {
      "type": "WEB",
      "url": "https://github.com/github/paste-markdown/commit/32b7ea3f29ae8f256f9d19768387be42678ddf30"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/github/paste-markdown"
    },
    {
      "type": "WEB",
      "url": "https://github.com/github/paste-markdown/releases/tag/v0.3.4"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/@github/paste-markdown"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-12T20:41:45Z",
    "nvd_published_at": "2021-08-12T21:15:00Z"
  }
}