MidnightBSD

Advisories for redcarpet_project

CVE-2015-5147 HIGH

Stack-based buffer overflow in the header_anchor function in the HTML renderer in Redcarpet before 3.3.2 allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
redcarpet_project redcarpet *
CVE-2020-26298 LOW

Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the `:escape_html` option was being used. This is fixed in version 3.5.1 by the referenced commit.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7
security-advisories@github.com 6.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N 2.3 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-74,CWE-79,

Products Affected

Vendor Product Version
debian debian_linux 10.0
debian debian_linux 9.0
redcarpet_project redcarpet *