MEDIUM 6.8 RubyGems
Injection/XSS in Redcarpet
GHSA-q3wr-qw3g-3p4h · CVE-2020-26298
Published · Modified
Description
Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the :escape_html option was being used. This is fixed in version 3.5.1 by the referenced commit.
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2020-26298
- WEB https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793
- ADVISORY https://github.com/advisories/GHSA-q3wr-qw3g-3p4h
- WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/redcarpet/CVE-2020-26298.yml
- PACKAGE https://github.com/vmg/redcarpet
- WEB https://github.com/vmg/redcarpet/blob/master/CHANGELOG.md#version-351-security
- WEB https://lists.debian.org/debian-lts-announce/2021/01/msg00014.html
- WEB https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFMYDIONVWATY7EB6EARDVXT47AYCRNM
- WEB https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNO4ZZUPGAEUXKQL4G2HRIH7CUZKPCT6
- WEB https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXNNWHHAPREDM3XJDACYRTK7DBMUONBI
- WEB https://rubygems.org/gems/redcarpet
- WEB https://www.debian.org/security/2021/dsa-4831
Ready to move
Start Securing
Free, no credit card | First findings in minutes