HistoryEdit

RUSTSEC-2021-0026

XSS in comrak

Reported
Issued
Package
comrak (crates.io)
Type
Vulnerability
Categories
Keywords
#xss
Aliases
Details
https://github.com/kivikakk/comrak/releases/tag/0.9.1
CVSS Score
6.1 MEDIUM
CVSS Details
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Patched
  • >=0.9.1

Description

The comrak we were matching unsafe URL prefixes, such as data: or javascript: , in a case-sensitive manner. This meant prefixes like Data: were untouched.