redcarpet 1.13.0

2 security vulnerabilities found in version 1.13.0

redcarpet Gem for Ruby markdown.c parse_inline() Function XSS

high severity OSVDB-120415
high severity OSVDB-120415
Patched versions: >= 3.2.3

redcarpet Gem for Ruby contains a flaw that allows a cross-site scripting (XSS) attack. This flaw exists because the parse_inline() function in markdown.c does not validate input before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Injection/XSS in Redcarpet

high severity CVE-2020-26298
high severity CVE-2020-26298
Patched versions: >= 3.5.1

Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the :escape_html option was being used.

1 memory leak found in version 1.13.0

Memory Leak in Redcarpet::Render::Base

516
Patched versions: >= 3.3
Leaky versions: < 3.3.3

rb_redcarpet_rbase_alloc used to allocate a struct rb_redcarpet_rndr instance which was never freed.

This caused 312 leaked bytes (on a 64-bit machine) on every render call

Gem version without a license.


Unless a license that specifies otherwise is included, nobody can use, copy, distribute, or modify this library without being at risk of take-downs, shake-downs, or litigation.

This gem version is available.


This gem version has not been yanked and is still available for usage.