Vulnerability Description
Parsedown before 1.7.2, when safe mode is used and HTML markup is disabled, might allow attackers to execute arbitrary JavaScript code if a script (already running on the affected page) executes the contents of any element with a specific class. This occurs because spaces are permitted in code block infostrings, which interferes with the intended behavior of a single class name beginning with the language- substring.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Parsedown | Parsedown | < 1.7.2 |
Related Weaknesses (CWE)
References
- https://github.com/erusev/parsedown/issues/699ExploitIssue TrackingThird Party Advisory
- https://github.com/erusev/parsedown/releases/tag/1.7.2Release NotesThird Party Advisory
- https://github.com/erusev/parsedown/issues/699ExploitIssue TrackingThird Party Advisory
- https://github.com/erusev/parsedown/releases/tag/1.7.2Release NotesThird Party Advisory
FAQ
What is CVE-2019-10905?
CVE-2019-10905 is a vulnerability with a CVSS score of 8.1 (HIGH). Parsedown before 1.7.2, when safe mode is used and HTML markup is disabled, might allow attackers to execute arbitrary JavaScript code if a script (already running on the affected page) executes the c...
How severe is CVE-2019-10905?
CVE-2019-10905 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-10905?
Check the references section above for vendor advisories and patch information. Affected products include: Parsedown Parsedown.