RubySec

Providing security resources for the Ruby community

CVE-2020-26298 (redcarpet): Injection/XSS in Redcarpet

ADVISORIES

GEM

redcarpet

SEVERITY

CVSS v3.x: 6.8 (Medium)

PATCHED VERSIONS

  • >= 3.5.1

DESCRIPTION

Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the :escape_html option was being used.

RELATED