CVE - CVE-2020-26298

CVE-ID
CVE-2020-26298	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the `:escape_html` option was being used. This is fixed in version 3.5.1 by the referenced commit.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:https://github.com/advisories/GHSA-q3wr-qw3g-3p4h URL:https://github.com/advisories/GHSA-q3wr-qw3g-3p4h DEBIAN:DSA-4831 URL:https://www.debian.org/security/2021/dsa-4831 FEDORA:FEDORA-2023-44daa9c1d4 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXNNWHHAPREDM3XJDACYRTK7DBMUONBI/ FEDORA:FEDORA-2023-597f13ffb9 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNO4ZZUPGAEUXKQL4G2HRIH7CUZKPCT6/ FEDORA:FEDORA-2023-8682a0e17d URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFMYDIONVWATY7EB6EARDVXT47AYCRNM/ MISC:https://github.com/vmg/redcarpet/blob/master/CHANGELOG.md#version-351-security URL:https://github.com/vmg/redcarpet/blob/master/CHANGELOG.md#version-351-security MISC:https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793 URL:https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793 MISC:https://rubygems.org/gems/redcarpet URL:https://rubygems.org/gems/redcarpet MLIST:[debian-lts-announce] 20210115 [SECURITY] [DLA 2526-1] ruby-redcarpet security update URL:https://lists.debian.org/debian-lts-announce/2021/01/msg00014.html
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20201001	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20201001)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)