erusev/parsedown is vulnerable to cross-site scripting (XSS). A remote attacker is able to inject arbitrary Javascript into a victim’s browser via the contents of any element with a specific class when safe-mode is used and HTML markup is disabled. This is possible as spaces are permitted in code block infostrings, which interferes with the intended behavior of a single class name beginning with the language-
substring.
CPE | Name | Operator | Version |
---|---|---|---|
erusev/parsedown | le | 1.8.0-beta-5 | |
erusev/parsedown | le | 1.7.1 |