FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

rubygem-redcarpet -- XSS vulnerability

Affected packages
rubygem-redcarpet < 3.2.3

Details

VuXML ID c368155a-fa83-11e4-bc58-001e67150279
Discovery 2015-04-07
Entry 2015-05-14

Daniel LeCheminant reports:

When markdown is being presented as HTML, there seems to be a strange interaction between _ and @ that lets an attacker insert malicious tags.

References

Message http://openwall.com/lists/oss-security/2015/04/07/11
URL http://danlec.com/blog/bug-in-sundown-and-redcarpet
URL https://hackerone.com/reports/46916