Skip to content

Local File Inclusion vulnerability in zmarkdown

Low severity GitHub Reviewed Published Aug 31, 2021 in zestedesavoir/zmarkdown • Updated May 14, 2024

Package

npm zmarkdown (npm)

Affected versions

< 10.1.3

Patched versions

10.1.3

Description

Impact

A minor Local File Inclusion vulnerability has been found in
zmarkdown, which allowed for images with a known path on
the host machine to be included inside a LaTeX document.

To prevent it, a new option has been created that allow to replace
invalid paths with a default image instead of linking the image on the
host directly. zmarkdown has been updated to make this setting the
default.

Every user of zmarkdown is likely impacted, except if
disabling LaTeX generation or images download. Here
is an example of including an image from an invalid path:

![](/tmp/img.png)

Will effectively redownload and include the image
found at /tmp/img.png.

Patches

The vulnerability has been patched in version 10.1.3.
If impacted, you should update to this version as soon as possible.

Workarounds

Disable images downloading, or sanitize paths.

For more information

If you have any questions or comments about this advisory, open an issue in ZMarkdown.

References

@LikaKavkasidze LikaKavkasidze published to zestedesavoir/zmarkdown Aug 31, 2021
Published to the GitHub Advisory Database Feb 3, 2024
Reviewed Feb 3, 2024
Last updated May 14, 2024

Severity

Low

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-mq6v-w35g-3c97

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.