Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTN2NDMtODc3eC1xZ21x

Moderate severity vulnerability that affects league/commonmark

CVE-2019-10010

Impact

In league/commonmark 0.18.2 and below, malicious users can insert double-encoded HTML entities into their Markdown like this:

[XSS](javascript:alert%28'XSS'%29)

This library would (correctly) unescape the & entity to & during the parsing step. However, the renderer step would fail to properly re-escape the resulting : string, thus producing the following malicious HTML output:

<p><a href="javascript&colon;alert('XSS')">XSS</a></p>

Browsers would interpret &colon; as a : character and allow the JS to be executed when the link is clicked.

This vulnerability was present in the upstream library this project was forked from and therefore exists in all prior versions of league/commonmark.

Solution

The new 0.18.3 release mirrors the fix made upstream - we no longer attempt to preserve entities when rendering HTML attributes like href, src, title, etc.

The $preserveEntities parameter of Xml::escape() is therefore no longer used internally, so it has been deprecated and marked for removal in the next major release (0.19.0).

Credits

References

Permalink: https://github.com/advisories/GHSA-3v43-877x-qgmq
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTN2NDMtODc3eC1xZ21x
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 5 years ago
Updated: 9 months ago


CVSS Score: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-3v43-877x-qgmq, CVE-2019-10010
References: Repository: https://github.com/thephpleague/commonmark
Blast Radius: 32.8

Affected Packages

packagist:league/commonmark
Dependent packages: 477
Dependent repositories: 238,335
Downloads: 263,542,933 total
Affected Version Ranges: < 0.18.3
Fixed in: 0.18.3
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.7.2, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.12.0, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.14.0, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.15.4, 0.15.5, 0.15.6, 0.15.7, 0.16.0, 0.17.0, 0.17.1, 0.17.2, 0.17.3, 0.17.4, 0.17.5, 0.18.0, 0.18.1, 0.18.2
All unaffected versions: 0.18.3, 0.18.4, 0.18.5, 0.19.0, 0.19.1, 0.19.2, 0.19.3, 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.5.0, 2.5.1, 2.5.2, 2.5.3