mirror of
https://github.com/OMGeeky/advisory-db.git
synced 2026-02-13 21:18:11 +01:00
486 B
486 B
[advisory]
id = "RUSTSEC-2021-0026"
package = "comrak"
aliases = ["CVE-2021-27671"]
date = "2021-02-21"
url = "https://github.com/kivikakk/comrak/releases/tag/0.9.1"
categories = ["format-injection"]
keywords = ["xss"]
[versions]
patched = [">= 0.9.1"]
XSS in comrak
The comrak we were matching unsafe URL prefixes, such as data: or javascript: , in a case-sensitive manner. This meant prefixes like Data: were untouched.