Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTN2NDMtODc3eC1xZ21x
Moderate severity vulnerability that affects league/commonmark
CVE-2019-10010
Impact
In league/commonmark 0.18.2 and below, malicious users can insert double-encoded HTML entities into their Markdown like this:
[XSS](javascript:alert%28'XSS'%29)
This library would (correctly) unescape the & entity to & during the parsing step. However, the renderer step would fail to properly re-escape the resulting : string, thus producing the following malicious HTML output:
<p><a href="javascript:alert('XSS')">XSS</a></p>
Browsers would interpret : as a : character and allow the JS to be executed when the link is clicked.
This vulnerability was present in the upstream library this project was forked from and therefore exists in all prior versions of league/commonmark.
Solution
The new 0.18.3 release mirrors the fix made upstream - we no longer attempt to preserve entities when rendering HTML attributes like href, src, title, etc.
The $preserveEntities parameter of Xml::escape() is therefore no longer used internally, so it has been deprecated and marked for removal in the next major release (0.19.0).
Credits
- Mohit Fawaz for identifying the issue
- Sebastiaan Knijnenburg and Ross Tuck for responsibly disclosing/relaying the issue
- John MacFarlane for investigating it and implementing the upstream fix we mirrored here
References
- https://nvd.nist.gov/vuln/detail/CVE-2019-10010
- https://github.com/thephpleague/commonmark/releases/tag/0.18.3
- https://github.com/thephpleague/commonmark/issues/353
- https://github.com/FriendsOfPHP/security-advisories/blob/master/league/commonmark/CVE-2019-10010.yaml
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTN2NDMtODc3eC1xZ21x
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 4 years ago
Updated: 3 months ago
CVSS Score: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-3v43-877x-qgmq, CVE-2019-10010
References:
- https://github.com/thephpleague/commonmark/security/advisories/GHSA-3v43-877x-qgmq
- https://nvd.nist.gov/vuln/detail/CVE-2019-10010
- https://github.com/thephpleague/commonmark/issues/353
- https://github.com/advisories/GHSA-3v43-877x-qgmq
- https://github.com/thephpleague/commonmark/releases/tag/0.18.3
- https://github.com/FriendsOfPHP/security-advisories/blob/master/league/commonmark/CVE-2019-10010.yaml
Blast Radius: 32.8
Affected Packages
packagist:league/commonmark
Dependent packages: 440Dependent repositories: 238,335
Downloads: 215,604,499 total
Affected Version Ranges: < 0.18.3
Fixed in: 0.18.3
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.7.2, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.12.0, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.14.0, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.15.4, 0.15.5, 0.15.6, 0.15.7, 0.16.0, 0.17.0, 0.17.1, 0.17.2, 0.17.3, 0.17.4, 0.17.5, 0.18.0, 0.18.1, 0.18.2
All unaffected versions: 0.18.3, 0.18.4, 0.18.5, 0.19.0, 0.19.1, 0.19.2, 0.19.3, 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.4.0, 2.4.1, 2.4.2