Php League · Php League Commonmark Library · CVE-2019-10010
Name of the Vulnerable Software and Affected Versions:
PHP League CommonMark library versions prior to 0.18.3
Description:
The issue is related to a cross-site scripting (XSS) vulnerability that allows remote attackers to insert unsafe links into HTML. This is achieved by using double-encoded HTML entities that are not properly escaped during rendering.
Recommendations:
For versions prior to 0.18.3, update to version 0.18.3 or later to resolve the issue. As a temporary workaround, consider disabling the rendering of user-provided HTML entities until a patch is available. Restrict access to the CommonMark library to minimize the risk of exploitation. Avoid using the library to render untrusted input until the issue is resolved.