Fwd: redcarpet <=3.2.2 (and related ruby gems) allow for possible XSS via autolinking of untrusted markdown
44 views
Skip to first unread message
Reed Loden
Apr 7, 2015, 9:25:59 PM4/7/15
to rubysec-announce
Re-posting, as my initial send to rubysec-announce@ bounced. :(
---------- Forwarded message ----------
From: Reed Loden <re...@reedloden.com>
Date: Tue, Apr 7, 2015 at 2:11 PM
Subject: redcarpet <=3.2.2 (and related ruby gems) allow for possible XSS via autolinking of untrusted markdown
To: Assign a CVE Identifier <cve-a...@mitre.org>, rubysec-...@googlegroups.com, oss-se...@lists.openwall.com, ruby-sec...@googlegroups.com
Initial research suggests this issue affects:
* https://github.com/vmg/sundown 1.16.0 (last version before the library was deprecated)
* https://github.com/vmg/redcarpet 3.2.2
* https://github.com/hoedown/hoedown 3.0.1
It also affects other (less popular) libraries based off of sundown, including:
* https://github.com/benmills/robotskirt 2.7.1
* https://github.com/FSX/misaka 1.0.2
* https://github.com/chobie/php-sundown 0.3.11
Users of these libraries may be vulnerable if the autolink extension is enabled.
More information is available at:
* http://danlec.com/blog/bug-in-sundown-and-redcarpet (excellent write-up!)
* https://hackerone.com/reports/46916
~reed
From: Reed Loden <re...@reedloden.com>
Date: Tue, Apr 7, 2015 at 2:11 PM
Subject: redcarpet <=3.2.2 (and related ruby gems) allow for possible XSS via autolinking of untrusted markdown
To: Assign a CVE Identifier <cve-a...@mitre.org>, rubysec-...@googlegroups.com, oss-se...@lists.openwall.com, ruby-sec...@googlegroups.com
Title: redcarpet and related gems allow for possible XSS of untrusted markdown if autolink extension is enabled
Date: 2015-04-07
CVE: Yet to be assigned.
Credit: Daniel LeCheminant (@d_lec)
Description: Markdown to (X)HTML parser
This fix is included in Redcarpet 3.2.3.Initial research suggests this issue affects:
* https://github.com/vmg/sundown 1.16.0 (last version before the library was deprecated)
* https://github.com/vmg/redcarpet 3.2.2
* https://github.com/hoedown/hoedown 3.0.1
It also affects other (less popular) libraries based off of sundown, including:
* https://github.com/benmills/robotskirt 2.7.1
* https://github.com/FSX/misaka 1.0.2
* https://github.com/chobie/php-sundown 0.3.11
Users of these libraries may be vulnerable if the autolink extension is enabled.
* http://danlec.com/blog/bug-in-sundown-and-redcarpet (excellent write-up!)
* https://hackerone.com/reports/46916
Reply all
Reply to author
Forward
0 new messages