CVE-2020-26298: Injection/XSS in Redcarpet
6.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.51108%
CWE
Published
1/11/2021
Updated
5/9/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
redcarpet | rubygems | < 3.5.1 | 3.5.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The GitHub commit diff shows the vulnerability was fixed by adding conditional HTML escaping in the rndr_quote function. Prior to the patch, the function simply used bufput() to insert raw text between <q> tags. The patched version checks if HTML_ESCAPE is enabled and uses escape_html() when required. This matches the CVE description about missing HTML escaping in quote processing even with :escape_html enabled. The test case added in markdown_test.rb specifically verifies this fix by checking HTML escaping behavior in quotes.