CVE-2024-21535: 
JavaScript vulnerability analysis and mitigation

CVE-2024-21535 affects versions of the package markdown-to-jsx before 7.4.0. The vulnerability is a Cross-site Scripting (XSS) issue that occurs via the src property due to improper input sanitization. The vulnerability was disclosed on February 20, 2024, and published on October 14, 2024. The affected software is the markdown-to-jsx package, which is a lightweight, customizable React markdown component (Snyk Advisory, NVD).

The vulnerability stems from insufficient input sanitization of the src property in markdown-to-jsx. An attacker can execute arbitrary code by injecting a malicious iframe element in the markdown. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 (MEDIUM) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue was addressed in version 7.4.0 by ensuring proper sanitization of the src property (Snyk Advisory, GitHub Patch).

The vulnerability can allow attackers to perform Cross-site Scripting (XSS) attacks. When successfully exploited, this can lead to the execution of arbitrary code in the context of the user's browser, potentially compromising user sessions, stealing cookies, or exposing sensitive information (Snyk Advisory).

The primary mitigation is to upgrade markdown-to-jsx to version 7.4.0 or higher, which includes the security fix. The fix ensures proper sanitization of the src property to prevent XSS attacks (GitHub Patch, Snyk Advisory).