mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-02-14 23:24:51 +01:00

Files

Alexis Mousset 8c05fea5fa Add cvss information from nvd (#1085 )

2021-10-19 16:14:35 -06:00

540 B

Raw Blame History

[advisory]
id = "RUSTSEC-2021-0026"
package = "comrak"
aliases = ["CVE-2021-27671"]
cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
date = "2021-02-21"
url = "https://github.com/kivikakk/comrak/releases/tag/0.9.1"
categories = ["format-injection"]
keywords = ["xss"]

[versions]
patched = [">= 0.9.1"]

XSS in `comrak`

The comrak we were matching unsafe URL prefixes, such as data: or javascript: , in a case-sensitive manner. This meant prefixes like Data: were untouched.

540 B Raw Blame History

XSS in comrak

540 B

Raw Blame History

XSS in `comrak`