[Python-modules-team] Bug#959445: python-markdown2: CVE-2020-11888
Salvatore Bonaccorso
carnil at debian.org
Sat May 2 14:20:31 BST 2020
Source: python-markdown2
Version: 2.3.7-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/trentm/python-markdown2/issues/348
Hi,
The following vulnerability was published for python-markdown2.
CVE-2020-11888[0]:
| python-markdown2 through 2.3.8 allows XSS because element names are
| mishandled unless a \w+ match succeeds. For example, an attack might
| use elementname@ or elementname- with an onclick attribute.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-11888
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11888
[1] https://github.com/trentm/python-markdown2/issues/348
Regards,
Salvatore
More information about the Python-modules-team
mailing list