redcarpet 1.11.2
redcarpet Gem for Ruby markdown.c parse_inline() Function XSS
high severity OSVDB-120415>= 3.2.3
redcarpet Gem for Ruby contains a flaw that allows a cross-site scripting (XSS) attack. This flaw exists because the parse_inline() function in markdown.c does not validate input before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
Injection/XSS in Redcarpet
high severity CVE-2020-26298>= 3.5.1
Redcarpet is a Ruby library for Markdown processing. In Redcarpet before
version 3.5.1, there is an injection vulnerability which can enable a cross-site
scripting attack. In affected versions no HTML escaping was being performed when
processing quotes. This applies even when the :escape_html option was being used.
Memory Leak in Redcarpet::Render::Base
516>= 3.3
< 3.3.3
rb_redcarpet_rbase_alloc used to allocate a struct rb_redcarpet_rndr instance which was never freed.
This caused 312 leaked bytes (on a 64-bit machine) on every render call
Gem version without a license.
Unless a license that specifies otherwise is included, nobody can use, copy, distribute, or modify this library without being at risk of take-downs, shake-downs, or litigation.
This gem version is available.
This gem version has not been yanked and is still available for usage.