GitHub_MCVELIST:CVE-2020-26298CVE-2020-26298 Injection in Redcarpet
6.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
5.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
33.3%
Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the :escape_html option was being used. This is fixed in version 3.5.1 by the referenced commit.
CNA Affected
[
{
"vendor": "vmg",
"product": "redcarpet",
"versions": [
{
"version": "< 3.5.1",
"status": "affected"
}
]
}
]References
github.com/advisories/GHSA-q3wr-qw3g-3p4h
github.com/vmg/redcarpet/blob/master/CHANGELOG.md#version-351-security
github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793
lists.debian.org/debian-lts-announce/2021/01/msg00014.html
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFMYDIONVWATY7EB6EARDVXT47AYCRNM/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNO4ZZUPGAEUXKQL4G2HRIH7CUZKPCT6/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXNNWHHAPREDM3XJDACYRTK7DBMUONBI/
rubygems.org/gems/redcarpet
www.debian.org/security/2021/dsa-4831
Related
6.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
5.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
33.3%