Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 7 Apr 2015 14:11:25 -0700
From: Reed Loden <>
To: Assign a CVE Identifier <>,,,
Subject: redcarpet <=3.2.2 (and related ruby gems) allow for possible XSS via
 autolinking of untrusted markdown

Title: redcarpet and related gems allow for possible XSS of untrusted
markdown if autolink extension is enabled

Date: 2015-04-07

CVE: Yet to be assigned.

Credit: Daniel LeCheminant (@d_lec)


Description: Markdown to (X)HTML parser


This fix is included in Redcarpet 3.2.3.

Initial research suggests this issue affects:

* 1.16.0 (last version before the library
was deprecated)
* 3.2.2
* 3.0.1

It also affects other (less popular) libraries based off of sundown,

* 2.7.1
* 1.0.2
* 0.3.11

Users of these libraries may be vulnerable if the autolink extension is

More information is available at:

* (excellent write-up!)


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ