PYSEC-2018-13

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/markdown2/PYSEC-2018-13.yaml
JSON Data
https://api.test.osv.dev/v1/vulns/PYSEC-2018-13
Aliases
Published
2018-01-18T21:29:00Z
Modified
2023-11-01T04:49:32.017278Z
Summary
[none]
Details

An issue was discovered in markdown2 (aka python-markdown2) through 2.3.5. The safe_mode feature, which is supposed to sanitize user input against XSS, is flawed and does not escape the input properly. With a crafted payload, XSS can be triggered, as demonstrated by omitting the final '>' character from an IMG tag.

References

Affected packages

PyPI / markdown2

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.3.6

Affected versions

1.*

1.0.1.6
1.0.1.7
1.0.1.8
1.0.1.9
1.0.1.10
1.0.1.11
1.0.1.12
1.0.1.13
1.0.1.14
1.0.1.15
1.0.1.16
1.0.1.17
1.0.1.18
1.0.1.19
1.1.0
1.1.1
1.2.0
1.3.0
1.3.1
1.4.0
1.4.1
1.4.2

2.*

2.0.0
2.0.1
2.1.0
2.2.0
2.2.1
2.2.2
2.2.3
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5