4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
33.4%
I’ve picked up on the work started over at #276 and rebased on erusev/master. Since this is rebased on master, I can’t point at PR at naNuke/master without running into the merge conflicts that I’ve already resolved manually. I’ve implemented what I suggested earlier so that all attributes are properly encoded (and not just the specific ones we remember). I’ve also added some tests, so @erusev’s concern here should hopefully now be resolved, albeit a year later 😉 #276 (comment) @malas one reason is the lack of tests One thing to note is that all this can be circumvented if you forget to turn on $Parsedown->setMarkupEscaped(true); (which is off by default) as you could just write a script tag manually for xss (even though the attributes and link destinations will be safe). So let’s all remember to enable this setting 😉 Attributes are now always escaped properly (this speaks to just outputting things correctly), but link based XSS or XSS from writing plain old script tags will only be prevented only if the new setSafeMode is enabled. $Parsedown->setSafeMode(true); Closes #161 Closes #497 Closes #276 Closes #403 Closes #530 The following CVE has been assigned to the vulnerability specific to bypassing ->setMarkupEscaped(true): CVE-2018-1000162.
CPE | Name | Operator | Version |
---|---|---|---|
erusev/parsedown | lt | 1.7.0 |
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
33.4%