RubySec

Providing security resources for the Ruby community

OSVDB-120415 (redcarpet): redcarpet Gem for Ruby markdown.c parse_inline() Function XSS

ADVISORIES

GEM

redcarpet

PATCHED VERSIONS

  • >= 3.2.3

DESCRIPTION

redcarpet Gem for Ruby contains a flaw that allows a cross-site scripting (XSS) attack. This flaw exists because the parse_inline() function in markdown.c does not validate input before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

RELATED