Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
\htmlData does not validate attribute names in KaTeX
Vulnerability Description
KaTeX is a fast, easy-to-use JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions with `renderToString` could encounter malicious input using `\htmlData` that runs arbitrary JavaScript, or generate invalid HTML. Users are advised to upgrade to KaTeX v0.16.21 to remove this vulnerability. Users unable to upgrade should avoid use of or turn off the `trust` option, or set it to forbid `\htmlData` commands, forbid inputs containing the substring `"\\htmlData"` and sanitize HTML output from KaTeX.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Vulnerability Type
对输出编码和转义不恰当
Vulnerability Title
KaTeX 安全漏洞
Vulnerability Description
KaTeX是KaTeX开源的一个快速、易于使用的 JavaScript 库,用于在网络上进行 TeX 数学渲染。 KaTeX v0.16.21版本之前存在安全漏洞,该漏洞源于 htmlData 命令允许嵌入 HTML 数据,而 trust 选项的不当配置使得攻击者可以利用该命令注入恶意代码。攻击者可以通过不可信的输入执行任意 JavaScript,从而引发跨站脚本攻击。
CVSS Information
N/A
Vulnerability Type
N/A