Date: Tue, 7 Apr 2015 14:11:25 -0700 From: Reed Loden <reed@...dloden.com> To: Assign a CVE Identifier <cve-assign@...re.org>, rubysec-announce@...glegroups.com, oss-security@...ts.openwall.com, ruby-security-ann@...glegroups.com Subject: redcarpet <=3.2.2 (and related ruby gems) allow for possible XSS via autolinking of untrusted markdown Title: redcarpet and related gems allow for possible XSS of untrusted markdown if autolink extension is enabled Date: 2015-04-07 CVE: Yet to be assigned. Credit: Daniel LeCheminant (@d_lec) Download: https://rubygems.org/gems/redcarpet Description: Markdown to (X)HTML parser Fix: https://github.com/vmg/redcarpet/commit/e5a10516d07114d582d13b9125b733008c61c242 This fix is included in Redcarpet 3.2.3. Initial research suggests this issue affects: * https://github.com/vmg/sundown 1.16.0 (last version before the library was deprecated) * https://github.com/vmg/redcarpet 3.2.2 * https://github.com/hoedown/hoedown 3.0.1 It also affects other (less popular) libraries based off of sundown, including: * https://github.com/benmills/robotskirt 2.7.1 * https://github.com/FSX/misaka 1.0.2 * https://github.com/chobie/php-sundown 0.3.11 Users of these libraries may be vulnerable if the autolink extension is enabled. More information is available at: * http://danlec.com/blog/bug-in-sundown-and-redcarpet (excellent write-up!) * https://hackerone.com/reports/46916 ~reed
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.