Add CVE-2020-26298 for redcarpet

rubysec · Jan 11, 2021 · f05618a · f05618a
1 parent c363fb3
commit f05618a
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/gems/redcarpet/CVE-2020-26298.yml b/gems/redcarpet/CVE-2020-26298.yml
@@ -0,0 +1,21 @@
+---
+gem: redcarpet
+cve: 2020-26298
+ghsa: q3wr-qw3g-3p4h
+url: https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793
+date: 2021-01-11
+title: Injection/XSS in Redcarpet
+description: |
+  Redcarpet is a Ruby library for Markdown processing. In Redcarpet before
+  version 3.5.1, there is an injection vulnerability which can enable a cross-site
+  scripting attack. In affected versions no HTML escaping was being performed when
+  processing quotes. This applies even when the `:escape_html` option was being used.
+
+cvss_v3: 6.8
+
+patched_versions:
+  - ">= 3.5.1"
+
+related:
+  url:
+    - https://github.com/vmg/redcarpet/blob/master/CHANGELOG.md#version-351-security