FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

py-markdown2 -- XSS vulnerability

Affected packages
py310-markdown2 < 2.3.9
py311-markdown2 < 2.3.9
py37-markdown2 < 2.3.9
py38-markdown2 < 2.3.9
py39-markdown2 < 2.3.9

Details

VuXML ID cf6f3465-e996-4672-9458-ce803f29fdb7
Discovery 2020-04-20
Entry 2023-08-31

TheGrandPew reports:

python-markdown2 through 2.3.8 allows XSS because element names are mishandled unless a \w+ match succeeds.

For example, an attack might use elementname@ or elementname- with an onclick attribute.

[source]

References

CVE Name CVE-2020-11888
URL https://osv.dev/vulnerability/GHSA-fv3h-8x5j-pvgq
URL https://osv.dev/vulnerability/PYSEC-2020-65

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.