Reported

February 21, 2021

Issued

February 21, 2021 (last modified: June 13, 2023)

Package

comrak (crates.io)

Type

Vulnerability

Categories

• format-injection

Keywords

#xss

Aliases

• CVE-2021-27671
• GHSA-xmr7-v725-2jjr

References

• https://github.com/kivikakk/comrak/releases/tag/0.9.1

CVSS Score

6.1 MEDIUM

CVSS Details

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Patched

• >=0.9.1

Description

The comrak we were matching unsafe URL prefixes, such as data: or javascript: , in a case-sensitive manner. This meant prefixes like Data: were untouched.

Advisory available under CC0-1.0 license.