CVE-2020-26298 MEDIUM

CVE-2020-26298: Injection in Redcarpet

Vendor Vmg
Product redcarpet
Weakness CWE-74
Published January 11, 2021
Last update February 13, 2025

CVSS base score

6.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N

What the vulnerability does

01Description

Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the `:escape_html` option was being used. This is fixed in version 3.5.1 by the referenced commit.

Key dates

02Disclosure timeline

January 11, 2021 CVE published
February 13, 2025 Record updated