References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Change History

https://github.com/NuGet/NuGetGallery/commit/c52b023659f4ad7b626874c1063f2b5e878a4fe0

https://github.com/NuGet/NuGetGallery/pull/9836

https://github.com/NuGet/NuGetGallery/security/advisories/GHSA-gwjh-c548-f787

NuGet Gallery is a package repository that powers nuget.org. The NuGetGallery has a security vulnerability related to its handling of autolinks in Markdown content. While the platform properly filters out JavaScript from standard links, it does not adequately sanitize autolinks. This oversight allows attackers to exploit autolinks as a vector for Cross-Site Scripting (XSS) attacks. When a user inputs a Markdown autolink such as `<javascript:alert(1)>`, the link is rendered without proper sanitiz

GitHub, Inc. AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

GitHub, Inc. CWE-79

GitHub, Inc. https://github.com/NuGet/NuGetGallery/commit/c52b023659f4ad7b626874c1063f2b5e878a4fe0 [No types assigned]

GitHub, Inc. https://github.com/NuGet/NuGetGallery/pull/9836 [No types assigned]

GitHub, Inc. https://github.com/NuGet/NuGetGallery/security/advisories/GHSA-gwjh-c548-f787 [No types assigned]