Date: Tue, 7 Apr 2015 14:11:25 -0700 From: Reed Loden <reed@...dloden.com> To: Assign a CVE Identifier <cve-assign@...re.org>, rubysec-announce@...glegroups.com, oss-security@...ts.openwall.com, ruby-security-ann@...glegroups.com Subject: redcarpet <=3.2.2 (and related ruby gems) allow for possible XSS via autolinking of untrusted markdown Title: redcarpet and related gems allow for possible XSS of untrusted markdown if autolink extension is enabled Date: 2015-04-07 CVE: Yet to be assigned. Credit: Daniel LeCheminant (@...ec) Download: https://rubygems.org/gems/redcarpet Description: Markdown to (X)HTML parser Fix: https://github.com/vmg/redcarpet/commit/e5a10516d07114d582d13b9125b733008c61c242 This fix is included in Redcarpet 3.2.3. Initial research suggests this issue affects: * https://github.com/vmg/sundown 1.16.0 (last version before the library was deprecated) * https://github.com/vmg/redcarpet 3.2.2 * https://github.com/hoedown/hoedown 3.0.1 It also affects other (less popular) libraries based off of sundown, including: * https://github.com/benmills/robotskirt 2.7.1 * https://github.com/FSX/misaka 1.0.2 * https://github.com/chobie/php-sundown 0.3.11 Users of these libraries may be vulnerable if the autolink extension is enabled. More information is available at: * http://danlec.com/blog/bug-in-sundown-and-redcarpet (excellent write-up!) * https://hackerone.com/reports/46916 ~reed
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ