John MacFarlane

4 exploits Active since Aug 2021
CVE-2025-51591 WRITEUP LOW WRITEUP
JGM Pandoc 3.6.4 - Server-Side Request Forgery via Crafted iframe
A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attackers to gain access to and compromise the whole infrastructure via injecting a crafted iframe. Note: Some users have stated that Pandoc by default can retrieve and parse untrusted HTML content which can enable SSRF vulnerabilities. Using the ‘--sandbox’ option or ‘pandoc-server’ can mitigate such vulnerabilities. Using pandoc with an external ‘--pdf-engine’ can also enable SSRF vulnerabilities, such as CVE-2022-35583 in wkhtmltopdf.
CVSS 3.7
CVE-2021-38711 WRITEUP HIGH WRITEUP
gitit < 0.15.0.0 - Information Disclosure via Export Feature
In gitit before 0.15.0.0, the Export feature can be exploited to leak information from files.
CVSS 7.5
CVE-2021-4249 WRITEUP MEDIUM WRITEUP
xml-conduit <1.9.1.0 - Infinite Loop
A vulnerability was found in xml-conduit. It has been classified as problematic. Affected is an unknown function of the file xml-conduit/src/Text/XML/Stream/Parse.hs of the component DOCTYPE Entity Expansion Handler. The manipulation leads to infinite loop. It is possible to launch the attack remotely. Upgrading to version 1.9.1.0 is able to address this issue. The name of the patch is 4be1021791dcdee8b164d239433a2043dc0939ea. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216204.
CVSS 4.3
CVE-2023-38745 WRITEUP MEDIUM WRITEUP
pandoc < 3.1.6 - Arbitrary File Write via Crafted Image Element
Pandoc before 3.1.6 allows arbitrary file write: this can be triggered by providing a crafted image element in the input when generating files via the --extract-media option or outputting to PDF format. This allows an attacker to create or overwrite arbitrary files, depending on the privileges of the process running Pandoc. It only affects systems that pass untrusted user input to Pandoc and allow Pandoc to be used to produce a PDF or with the --extract-media option. NOTE: this issue exists because of an incomplete fix for CVE-2023-35936 (failure to properly account for double encoded path names).
CVSS 6.3