From ${URL} : Title: redcarpet and related gems allow for possible XSS of untrusted markdown if autolink extension is enabled Date: 2015-04-07 CVE: Yet to be assigned. Credit: Daniel LeCheminant (@...ec) Download: https://rubygems.org/gems/redcarpet Description: Markdown to (X)HTML parser Fix: https://github.com/vmg/redcarpet/commit/e5a10516d07114d582d13b9125b733008c61c242 This fix is included in Redcarpet 3.2.3. Initial research suggests this issue affects: * https://github.com/vmg/sundown 1.16.0 (last version before the library was deprecated) * https://github.com/vmg/redcarpet 3.2.2 * https://github.com/hoedown/hoedown 3.0.1 It also affects other (less popular) libraries based off of sundown, including: * https://github.com/benmills/robotskirt 2.7.1 * https://github.com/FSX/misaka 1.0.2 * https://github.com/chobie/php-sundown 0.3.11 Users of these libraries may be vulnerable if the autolink extension is enabled. More information is available at: * http://danlec.com/blog/bug-in-sundown-and-redcarpet (excellent write-up!) * https://hackerone.com/reports/46916 @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
redcarpet-3.2.3 is now in the tree, and vulnerable versions have been removed.
Maintainer(s), Thank you for you for your work. Closing noglsa (Not stable)