Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xZ3B2LTg2cjMtODdmaM028A
Cross-site Scripting in Parsedown
Parsedown version prior to 1.7.0 contains a Cross Site Scripting (XSS) vulnerability in setMarkupEscaped for escaping HTML that can result in JavaScript code execution. This attack appears to be exploitable via specially crafted markdown that allows it to side step HTML escaping by breaking AST boundaries. This vulnerability appears to have been fixed in 1.7.0 and later.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xZ3B2LTg2cjMtODdmaM028A
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 10 months ago
CVSS Score: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-qgpv-86r3-87fh, CVE-2018-1000162
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000162
- https://github.com/Roave/SecurityAdvisories/issues/44#issuecomment-368594409
- https://github.com/erusev/parsedown/pull/495
- https://github.com/FriendsOfPHP/security-advisories/blob/master/erusev/parsedown/CVE-2018-1000162.yaml
- https://github.com/advisories/GHSA-qgpv-86r3-87fh
Blast Radius: 31.9
Affected Packages
packagist:erusev/parsedown
Dependent packages: 782Dependent repositories: 169,961
Downloads: 121,767,537 total
Affected Version Ranges: < 1.7.0
Fixed in: 1.7.0
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8, 0.5.0, 0.6.0, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.7.7, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4
All unaffected versions: 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4