2271606 – (CVE-2024-28246) CVE-2024-28246 katex: allow malicious input to generate `javascript:` links in the output

Bug 2271606 (CVE-2024-28246) - CVE-2024-28246 katex: allow malicious input to generate `javascript:` links in the output

Summary: CVE-2024-28246 katex: allow malicious input to generate `javascript:` links i...

Keywords:
Status:	NEW
Alias:	CVE-2024-28246
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2271607 2271608
Blocks:
TreeView+	depends on / blocked

Reported:	2024-03-26 14:05 UTC by Rohit Keshri
Modified:	2024-03-26 14:05 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Rohit Keshri 2024-03-26 14:05:30 UTC

KaTeX is a JavaScript library for TeX math rendering on the web. Code that uses KaTeX's `trust` option, specifically that provides a function to blacklist certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generate `javascript:` links in the output, even if the `trust` function tries to forbid this protocol via `trust: (context) => context.protocol !== 'javascript'`. Upgrade to KaTeX v0.16.10 to remove this vulnerability.

https://github.com/KaTeX/KaTeX/commit/fc5af64183a3ceb9be9d1c23a275999a728593de
https://github.com/KaTeX/KaTeX/security/advisories/GHSA-3wc5-fcw2-2329

Comment 1 Rohit Keshri 2024-03-26 14:05:54 UTC

Created h3 tracking bugs for this issue:

Affects: fedora-all [bug 2271607]


Created marker tracking bugs for this issue:

Affects: fedora-all [bug 2271608]

Note You need to log in before you can comment on or make changes to this bug.