CVE-2020-26298
Description
Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the :escape_html option was being used. This is fixed in version 3.5.1 by the referenced commit.
- CVSS Version 3.1
- CVSS Version 2.0
nvd
CVE ID: CVE-2020-26298
Base Score: 5.4
Base Severity: MEDIUM
Vector String:CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Impact Score: 2.7
Exploitability Score: 2.3
github
CVE ID: CVE-2020-26298
Base Score: 6.8
Base Severity: MEDIUM
Vector String:CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
Impact Score: 4.0
Exploitability Score: 2.3
nvd
CVE ID: CVE-2020-26298
Base Score: 3.5
Base Severity: LOW
Vector String:AV:N/AC:M/Au:S/C:N/I:P/A:N