Miggo Logo

CVE-2020-26298: Injection/XSS in Redcarpet

6.8

CVSS Score
3.1

Basic Information

EPSS Score
0.51108%
Published
1/11/2021
Updated
5/9/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
redcarpetrubygems< 3.5.13.5.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The GitHub commit diff shows the vulnerability was fixed by adding conditional HTML escaping in the rndr_quote function. Prior to the patch, the function simply used bufput() to insert raw text between <q> tags. The patched version checks if HTML_ESCAPE is enabled and uses escape_html() when required. This matches the CVE description about missing HTML escaping in quote processing even with :escape_html enabled. The test case added in markdown_test.rb specifically verifies this fix by checking HTML escaping behavior in quotes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

R****rp*t is * Ru*y li*r*ry *or M*rk*own pro**ssin*. In R****rp*t ***or* v*rsion *.*.*, t**r* is *n inj**tion vuln*r**ility w*i** **n *n**l* * *ross-sit* s*riptin* *tt**k. In *****t** v*rsions no *TML *s**pin* w*s **in* p*r*orm** w**n pro**ssin* quot

Reasoning

T** *it*u* *ommit *i** s*ows t** vuln*r**ility w*s *ix** *y ***in* *on*ition*l *TML *s**pin* in t** rn*r_quot* *un*tion. Prior to t** p*t**, t** *un*tion simply us** *u*put() to ins*rt r*w t*xt **tw**n <q> t**s. T** p*t**** v*rsion ****ks i* *TML_*S*