CVE-2019-10905
Last modified
CVE-2019-10905 is a vulnerability of currently unknown severity. Parsedown before 1.7.2, when safe mode is used and HTML markup is disabled, might allow attackers to execute arbitrary JavaScript code if a script (already running on the affected page) executes the contents of any element with a specific class. This occurs because spaces are permitted in code block infostrings, which interferes with the intended behavior of a single class name beginning with the language- substring.. EPSS estimates a 1.47% chance of exploitation in the next 30 days.
Description
Parsedown before 1.7.2, when safe mode is used and HTML markup is disabled, might allow attackers to execute arbitrary JavaScript code if a script (already running on the affected page) executes the contents of any element with a specific class. This occurs because spaces are permitted in code block infostrings, which interferes with the intended behavior of a single class name beginning with the language- substring.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Parsedown | Parsedown | < 1.7.2 |
References
- https://github.com/erusev/parsedown/issues/699Exploit, Issue Tracking, Third Party Advisory
- https://github.com/erusev/parsedown/releases/tag/1.7.2Release Notes, Third Party Advisory
- https://github.com/erusev/parsedown/issues/699Exploit, Issue Tracking, Third Party Advisory
- https://github.com/erusev/parsedown/releases/tag/1.7.2Release Notes, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-10905?
How severe is CVE-2019-10905?
How do I fix CVE-2019-10905?
Are you affected by CVE-2019-10905?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST