@nuxtjs/mdc is vulnerable to Cross-Site Scripting (XSS)
81
High Risk
@nuxtjs/mdc renders untrusted markdown, including raw HTML, into a Vue component tree and relies on the validateProp sanitizer in props.ts as the only barrier against dangerous links. The sanitizer only scheme-checks attributes named href or src, so an SVG anchor xlink:href carrying a javascript: URL is passed through unvalidated. Its data:text/html deny-list is also compared against url.protocol (always data: for data URIs), making those entries dead code so data:text/html payloads are allowed through. An author of untrusted markdown can therefore execute arbitrary script in the page origin at the default configuration; the fix validates xlinkhref like href/src and compares the deny-list against the full url.href.
You are affected if you are using a version that falls within the vulnerable range.
@nuxtjs/mdc is vulnerable to Cross-Site Scripting (XSS) in versions 0.1.0 - 0.22.0.
Upgrade the @nuxtjs/mdc library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant