CVE-2024-28245

Improper Encoding or Escaping of Output (CWE-116)

Published: Mar 24, 2024

010
CVSS 6.3EPSS 0.04%Medium
CVE info copied to clipboard

KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\includegraphics` that runs arbitrary JavaScript, or generate invalid HTML. Upgrade to KaTeX v0.16.10 to remove this vulnerability.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Timeline

Vendor Advisory

GitHub Advisories released a security advisory.

Mar 24, 2024 at 10:16 PM
CVE Assignment

NVD published the first details for CVE-2024-28245

Mar 25, 2024 at 1:15 PM
CVSS

A CVSS base score of 6.3 has been assigned.

Mar 25, 2024 at 7:40 PM / github_advisories
First Article

Feedly found the first article mentioning CVE-2024-28245. See article

Mar 25, 2024 at 7:42 PM / GitHub Advisory Database
EPSS

EPSS Score was set to: 0.04% (Percentile: 7.5%)

Mar 28, 2024 at 4:04 PM
Static CVE Timeline Graph

Patches

Github Advisory
+null more

Attack Patterns

CAPEC-104: Cross Zone Scripting
+null more

Vendor Advisory

[GHSA-f98w-7cxr-ff2h] KaTeX's `\includegraphics` does not escape filename
KaTeX users who render untrusted mathematical expressions could encounter malicious input using \includegraphics that runs arbitrary JavaScript, or generate invalid HTML. KaTeX users who render untrusted mathematical expressions could encounter malicious input using \includegraphics that runs arbitrary JavaScript, or generate invalid HTML.

News

CVE-2024-28245 - RedPacket Security
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality. If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below To keep up to date follow us on the below channels.
CVE-2024-28245
Medium Severity Description KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\includegraphics` that runs arbitrary JavaScript, or generate invalid HTML. Upgrade to KaTeX v0.16.10 to remove this vulnerability. Read more at https://www.tenable.com/cve/CVE-2024-28245
CVE-2024-28245
KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\includegraphics` that runs arbitrary JavaScript, or generate invalid HTML. Upgrade to KaTeX v0.16.10 to remove this vulnerability. CVE-2024-28245 originally published on CyberSecurityBoard
CVE-2024-28245 | KaTeX up to 0.16.9 cross site scripting (GHSA-f98w-7cxr-ff2h)
A vulnerability, which was classified as problematic , was found in KaTeX up to 0.16.9 . Affected is an unknown function. The manipulation leads to cross site scripting. This vulnerability is traded as CVE-2024-28245 . It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.
CVE-2024-28245
This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be...
See 3 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:Low
Integrity:Low
Availability Impact:Low

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI