oss-sec mailing list archives

redcarpet <=3.2.2 (and related ruby gems) allow for possible XSS via autolinking of untrusted markdown

From: Reed Loden <reed () reedloden com>
Date: Tue, 7 Apr 2015 14:11:25 -0700

Title: redcarpet and related gems allow for possible XSS of untrusted
markdown if autolink extension is enabled

Date: 2015-04-07

CVE: Yet to be assigned.

Credit: Daniel LeCheminant (@d_lec)

Download: https://rubygems.org/gems/redcarpet

Description: Markdown to (X)HTML parser

Fix:
https://github.com/vmg/redcarpet/commit/e5a10516d07114d582d13b9125b733008c61c242

This fix is included in Redcarpet 3.2.3.

Initial research suggests this issue affects:

* https://github.com/vmg/sundown 1.16.0 (last version before the library
was deprecated)
* https://github.com/vmg/redcarpet 3.2.2
* https://github.com/hoedown/hoedown 3.0.1

It also affects other (less popular) libraries based off of sundown,
including:

* https://github.com/benmills/robotskirt 2.7.1
* https://github.com/FSX/misaka 1.0.2
* https://github.com/chobie/php-sundown 0.3.11

Users of these libraries may be vulnerable if the autolink extension is
enabled.

More information is available at:

* http://danlec.com/blog/bug-in-sundown-and-redcarpet (excellent write-up!)
* https://hackerone.com/reports/46916

~reed

Current thread:

redcarpet <=3.2.2 (and related ruby gems) allow for possible XSS via autolinking of untrusted markdown Reed Loden (Apr 07)
- Re: redcarpet <=3.2.2 (and related ruby gems) allow for possible XSS via autolinking of untrusted markdown cve-assign (Apr 20)