Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS02Mm0zLWZjN2YtanBwOM02AA

High EPSS: 0.00521% (0.65534 Percentile) EPSS:
Permalink JSON

Parsedown Class-Name Injection

Affected Packages Affected Versions Fixed Versions
packagist:erusev/parsedown < 1.7.2 1.7.2
803 Dependent packages
169,961 Dependent repositories
140,331,997 Downloads total

Affected Version Ranges

All affected versions

0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8, 0.5.0, 0.6.0, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.7.7, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.7.0, 1.7.1

All unaffected versions

1.7.2, 1.7.3, 1.7.4

Parsedown before 1.7.2, when safe mode is used and HTML markup is disabled, might allow attackers to execute arbitrary JavaScript code if a script (already running on the affected page) executes the contents of any element with a specific class. This occurs because spaces are permitted in code block infostrings, which interferes with the intended behavior of a single class name beginning with the language- substring.

References:

Identifiers

GHSA-62m3-fc7f-jpp8

CVE-2019-10905

Risk

Severity

High

EPSS

EPSS Percentage: 0.00521

EPSS Percentile: 0.65534

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/erusev/parsedown

Date and time

Published

over 3 years ago

Updated

almost 2 years ago

API

JSON