oss-sec mailing list archives
redcarpet <=3.2.2 (and related ruby gems) allow for possible XSS via autolinking of untrusted markdown
From: Reed Loden <reed () reedloden com>
Date: Tue, 7 Apr 2015 14:11:25 -0700
Title: redcarpet and related gems allow for possible XSS of untrusted markdown if autolink extension is enabled Date: 2015-04-07 CVE: Yet to be assigned. Credit: Daniel LeCheminant (@d_lec) Download: https://rubygems.org/gems/redcarpet Description: Markdown to (X)HTML parser Fix: https://github.com/vmg/redcarpet/commit/e5a10516d07114d582d13b9125b733008c61c242 This fix is included in Redcarpet 3.2.3. Initial research suggests this issue affects: * https://github.com/vmg/sundown 1.16.0 (last version before the library was deprecated) * https://github.com/vmg/redcarpet 3.2.2 * https://github.com/hoedown/hoedown 3.0.1 It also affects other (less popular) libraries based off of sundown, including: * https://github.com/benmills/robotskirt 2.7.1 * https://github.com/FSX/misaka 1.0.2 * https://github.com/chobie/php-sundown 0.3.11 Users of these libraries may be vulnerable if the autolink extension is enabled. More information is available at: * http://danlec.com/blog/bug-in-sundown-and-redcarpet (excellent write-up!) * https://hackerone.com/reports/46916 ~reed
Current thread:
- redcarpet <=3.2.2 (and related ruby gems) allow for possible XSS via autolinking of untrusted markdown Reed Loden (Apr 07)