Home > Vulnerability Database > CVE-2020-26298

Mend.io Vulnerability Database

CVE-2020-26298

Good to know:

Date: January 10, 2021

Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the `:escape_html` option was being used. This is fixed in version 3.5.1 by the referenced commit.

Language: Ruby

Severity Score

6.8

Related Resources (16)

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXNNWHHAPREDM3XJDACYRTK7DBMUONBI/

Url: https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793

Url: https://www.debian.org/security/2021/dsa-4831

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFMYDIONVWATY7EB6EARDVXT47AYCRNM/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFMYDIONVWATY7EB6EARDVXT47AYCRNM

Url: https://rubygems.org/gems/redcarpet

Url: https://github.com/vmg/redcarpet/blob/master/CHANGELOG.md#version-351-security

Url: https://github.com/vmg/redcarpet

Url: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/redcarpet/CVE-2020-26298.yml

Url: https://github.com/advisories/GHSA-q3wr-qw3g-3p4h

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNO4ZZUPGAEUXKQL4G2HRIH7CUZKPCT6/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXNNWHHAPREDM3XJDACYRTK7DBMUONBI

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-26298

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNO4ZZUPGAEUXKQL4G2HRIH7CUZKPCT6

Url: https://lists.debian.org/debian-lts-announce/2021/01/msg00014.html

Url: https://www.mend.io/vulnerability-database/CVE-2020-26298

Severity Score

6.8

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74

Top Fix

Upgrade Version

Upgrade to version redcarpet - 3.5.1;files.com/files-php-sdk - v1.0.7;jekyll-standalone - no_fix

Learn More

CVSS v3.1

Base Score:	6.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

CVSS v2

Base Score:	3.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	SINGLE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-26298

Good to know:

Date: January 10, 2021

Language: Ruby

Severity Score

Related Resources (16)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?