CVE-2024-28245 — Vulnetix

CVE-2024-28245 PUBLISHED CVSS 6.300000190734863 MEDIUM

KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\includegraphics` that runs arbitrary JavaScript, or generate invalid HTML. Upgrade to KaTeX v0.16.10 to remove this vulnerability.

EPSS 0.05% · 15.5th percentile

Risk Scores

CVSS 3.1

6.300000190734863

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score

0.05%

15.5th percentile

Affected Products

Vendor	Product	Versions
npm	katex	0.11.0
katex	katex	0.11.0
KaTeX	KaTeX	>= 0.11.0, < 0.6.10
katex	katex	0.11.0

Exploit Intelligence

https://github.com/KaTeX/KaTeX/security/advisories/GHSA-f98w-7cxr-ff2h (circl)
https://github.com/KaTeX/KaTeX/commit/c5897fcd1f73da9612a53e6b5544f1d776e17770 (circl)

Timeline

Jan 21, 1970 Security Advisory
Mar 25, 2024 CVE Published
Mar 26, 2024 EPSS Score
Apr 21, 2024 EPSS Score
May 16, 2024 EPSS Score
Jun 11, 2024 EPSS Score
Jul 7, 2024 EPSS Score
Aug 1, 2024 EPSS Score
Aug 27, 2024 EPSS Score
Sep 22, 2024 EPSS Score
Oct 4, 2024 Coalition ESS Score
Oct 17, 2024 EPSS Score

References

https://github.com/KaTeX/KaTeX/security/advisories/GHSA-f98w-7cxr-ff2h url
https://github.com/KaTeX/KaTeX/commit/c5897fcd1f73da9612a53e6b5544f1d776e17770 url
https://nvd.nist.gov/vuln/detail/CVE-2024-28245 advisory
https://github.com/KaTeX/KaTeX package

Open in Interactive Console →