6.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-26298

GHSA ID

GHSA-q3wr-qw3g-3p4h

EPSS Score

0.51108%

CWE

CWE-74

Published

1/11/2021

Updated

5/9/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-26298

CVE-2020-26298: Injection/XSS in Redcarpet

Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the :escape_html option was being used. This is fixed in version 3.5.1 by the referenced commit.

(GitHub Advisory)

6.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-26298

GHSA ID

GHSA-q3wr-qw3g-3p4h

EPSS Score

0.51108%

CWE

CWE-74

Published

1/11/2021

Updated

5/9/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
redcarpet	rubygems	< 3.5.1	3.5.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The GitHub commit diff shows the vulnerability was fixed by adding conditional HTML escaping in the rndr_quote function. Prior to the patch, the function simply used bufput() to insert raw text between <q> tags. The patched version checks if HTML_ESCAPE is enabled and uses escape_html() when required. This matches the CVE description about missing HTML escaping in quote processing even with :escape_html enabled. The test case added in markdown_test.rb specifically verifies this fix by checking HTML escaping behavior in quotes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

R****rp*t is * Ru*y li*r*ry *or M*rk*own pro**ssin*. In R****rp*t ***or* v*rsion *.*.*, t**r* is *n inj**tion vuln*r**ility w*i** **n *n**l* * *ross-sit* s*riptin* *tt**k. In *****t** v*rsions no *TML *s**pin* w*s **in* p*r*orm** w**n pro**ssin* quot

Reasoning

T** *it*u* *ommit *i** s*ows t** vuln*r**ility w*s *ix** *y ***in* *on*ition*l *TML *s**pin* in t** rn*r_quot* *un*tion. Prior to t** p*t**, t** *un*tion simply us** *u*put() to ins*rt r*w t*xt **tw**n <q> t**s. T** p*t**** v*rsion ****ks i* *TML_*S*

6.8

Basic Information

Concerned about an active attack path?

CVE-2020-26298: Injection/XSS in Redcarpet

6.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI