CVE-2019-10905

Опубликовано: 06 апр. 2019

Источник: nvd

CVSS3: 8.1

CVSS2: 6.8

EPSS Низкий

Описание

Parsedown before 1.7.2, when safe mode is used and HTML markup is disabled, might allow attackers to execute arbitrary JavaScript code if a script (already running on the affected page) executes the contents of any element with a specific class. This occurs because spaces are permitted in code block infostrings, which interferes with the intended behavior of a single class name beginning with the language- substring.

Ссылки

https://github.com/erusev/parsedown/issues/699
Exploit
Issue Tracking
Third Party Advisory
https://github.com/erusev/parsedown/releases/tag/1.7.2
Release Notes
Third Party Advisory
https://github.com/erusev/parsedown/issues/699
Exploit
Issue Tracking
Third Party Advisory
https://github.com/erusev/parsedown/releases/tag/1.7.2
Release Notes
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:parsedown:parsedown:*:*:*:*:*:*:*:*

Версия до 1.7.2 (исключая)

EPSS

Процентиль: 66%

0.00521

Низкий

8.1 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-62m3-fc7f-jpp8