QwikSec

Security Database

CVE

CWE

Training

CVE-2020-26298

Published: Jan 11, 2021

Modified: Feb 13, 2025

PUBLISHED

CVSS v3.1

6.8

MEDIUM

Description

Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the `:escape_html` option was being used. This is fixed in version 3.5.1 by the referenced commit.

Vendor	Product	Versions
vmg	redcarpet	affected `< 3.5.1`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

None

Integrity

High

Availability

None

References

https://github.com/advisories/GHSA-q3wr-qw3g-3p4h

https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793

https://rubygems.org/gems/redcarpet

https://github.com/vmg/redcarpet/blob/master/CHANGELOG.md#version-351-security

[debian-lts-announce] 20210115 [SECURITY] [DLA 2526-1] ruby-redcarpet security update

mailing-list

vendor-advisory

FEDORA-2023-597f13ffb9

vendor-advisory

FEDORA-2023-8682a0e17d

vendor-advisory

FEDORA-2023-44daa9c1d4

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.