Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
KaTeX is missing normalization of the protocol in URLs allows bypassing forbidden protocols
Vulnerability Description
KaTeX is a JavaScript library for TeX math rendering on the web. Code that uses KaTeX's `trust` option, specifically that provides a function to blacklist certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generate `javascript:` links in the output, even if the `trust` function tries to forbid this protocol via `trust: (context) => context.protocol !== 'javascript'`. Upgrade to KaTeX v0.16.10 to remove this vulnerability.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Vulnerability Type
不完整的黑名单
Vulnerability Title
KaTeX 安全漏洞
Vulnerability Description
KaTeX是一个快速、易于使用的 JavaScript 库,用于在网络上进行 TeX 数学渲染。 KaTeX v0.16.10 版本之前存在安全漏洞,该漏洞源于使用 KaTeX 的 trust 选项的代码,特别是提供将某些 URL 协议列入黑名单的功能的代码,可能会被在协议中使用大写字符的恶意输入中的 URL 所欺骗。
CVSS Information
N/A
Vulnerability Type
N/A