GHSA-qwj6-q94f-8425: XSS
First published: Tue Jan 21 2025(Updated: )
### Summary Despite normal text rendering as LaTeX expressions, preventing XSS, the library also provides users with commands which may modify HTML, such as the `\htmlData` command, and the lack of escaping leads to XSS. ### Details Overall in the code, other than in the `test` folder, no functions escaping HTML can be seen. ### PoC 1. Go to https://cortexjs.io/mathlive/demo/ 2. Paste either `\htmlData{><img/onerror=alert(1)"src=}{}` or `\htmlData{x=" ><img/onerror=alert(1) src>}{}` in the LaTeX textarea. ### Impact MathLive users who render untrusted mathematical expressions could encounter malicious input using \htmlData that runs arbitrary JavaScript, or generate invalid HTML.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| npm/mathlive | <=0.103.0 | 0.104.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-qwj6-q94f-8425
- agent/software-canonical-lookup
- agent/weakness
- agent/references
- agent/source
- agent/severity
- agent/last-modified-date
- agent/type
- agent/tags
- agent/softwarecombine
- agent/description
- agent/first-publish-date
- agent/event
- package-manager/npm