Lucene search

K

GoogleOSV:GHSA-Q3WR-QW3G-3P4H

HistoryJan 11, 2021 - 7:06 p.m.

Injection/XSS in Redcarpet

2021-01-1119:06:10

Google

osv.dev

14

0.001 Low

EPSS

Percentile

33.3%

Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the :escape_html option was being used. This is fixed in version 3.5.1 by the referenced commit.

CPENameOperatorVersion
redcarpeteq2.0.1
redcarpeteq2.0.0b3
redcarpeteq1.9.0
redcarpeteq3.3.3
redcarpeteq2.2.1
redcarpeteq2.0.0
redcarpeteq3.4.0
redcarpeteq3.1.2
redcarpeteq3.2.2
redcarpeteq3.3.1

Rows per page:

1-10 of 721

References

github.com/advisories/GHSA-q3wr-qw3g-3p4h

github.com/rubysec/ruby-advisory-db/blob/master/gems/redcarpet/CVE-2020-26298.yml

github.com/vmg/redcarpet

github.com/vmg/redcarpet/blob/master/CHANGELOG.md#version-351-security

github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793

lists.debian.org/debian-lts-announce/2021/01/msg00014.html

lists.fedoraproject.org/archives/list/[email protected]/message/BFMYDIONVWATY7EB6EARDVXT47AYCRNM

lists.fedoraproject.org/archives/list/[email protected]/message/FNO4ZZUPGAEUXKQL4G2HRIH7CUZKPCT6

lists.fedoraproject.org/archives/list/[email protected]/message/PXNNWHHAPREDM3XJDACYRTK7DBMUONBI

nvd.nist.gov/vuln/detail/CVE-2020-26298

rubygems.org/gems/redcarpet

www.debian.org/security/2021/dsa-4831

0.001 Low

EPSS

Percentile

33.3%

Related for OSV:GHSA-Q3WR-QW3G-3P4H

veracode1 nessus5 fedora3 redhatcve1 openvas5 debian3 nvd1 osv3 cvelist1 prion1 cve1 github1 debiancve1 ubuntucve1 rosalinux1