OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2025-12-31 08:40:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add advisory on comrak XSS

Browse Source 
Signed-off-by: Kohei Morita <mrtc0@ssrf.in>
This commit is contained in:
Kohei Morita
2021-02-21 11:22:07 +09:00
parent 631d33d446
commit 3aada4c4d8
1 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
crates/comrak/RUSTSEC-0000-0000.md Normal file
View File

@@ -0,0 +1,17 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "comrak"
date = "2021-02-21"
url = "https://github.com/kivikakk/comrak/releases/tag/0.9.1"
categories = ["format-injection"]
keywords = ["xss"]
[versions]
patched = [">= 0.9.1"]
```
# XSS in `comrak`
The [comrak](https://github.com/kivikakk/comrak) we were matching unsafe URL prefixes, such as `data:` or `javascript:` , in a case-sensitive manner. This meant prefixes like `Data:` were untouched.