PT-2021-3541 · Redcarpet+1 · Redcarpet+1

Johan Smits

Published

2021-01-11

Updated

2024-07-27

CVE-2020-26298

CVSS v3.1

6.8

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Redcarpet versions prior to 3.5.1

Description The issue is related to incorrect input sanitization in the Redcarpet library, which can enable a cross-site scripting attack. This is due to the lack of HTML escaping when processing quotes, even when the :escape html option is used.

Recommendations For versions prior to 3.5.1, update to version 3.5.1 or later to resolve the issue. As a temporary workaround, consider disabling the use of quotes in the Redcarpet library until a patch is available. Restrict access to the library to minimize the risk of exploitation. Avoid using the :escape html option in affected versions, as it does not provide the expected protection.

Exploit

Fix

Special Elements Injection

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-79

Related Identifiers

ALT-PU-2022-2029

ALT-PU-2023-4272

ALT-PU-2024-7818

BDU:2021-03625

CVE-2020-26298

DLA-2526-1

DSA-4831-1

GHSA-Q3WR-QW3G-3P4H

OESA-2021-1175

SUSE-SU-2021:3728-1

SUSE-SU-2021:3729-1

Affected Products

Alt Linux

Redcarpet

PT-2021-3541 · Redcarpet+1 · Redcarpet+1

CVE-2020-26298

Weakness Enumeration

Related Identifiers

Affected Products

References · 46