Skip to content

CVE-2018-20583

Low
colinodell published GHSA-rfj4-8hcc-qvwm Aug 26, 2019 · 1 comment

Package

composer league/commonmark (Composer)

Affected versions

0.15.6 through 0.18.0

Patched versions

0.18.1

Description

Impact

Cross-site scripting (XSS) vulnerability in the PHP League CommonMark library versions 0.15.6 through 0.18.x before 0.18.1 allows remote attackers to insert unsafe URLs into HTML (even if allow_unsafe_links is false) via a newline character (e.g., writing javascript as javascri%0apt).

Patches

The problem was fixed in 0.18.1. All users should upgrade to the latest version.

Workarounds

n/a

References

Severity

Low

CVE ID

CVE-2018-20583

Weaknesses

No CWEs