CVSS: 9.8EPSS: 1%CPEs: 5EXPL: 1CVE-2021-28834 – Ubuntu Security Notice USN-6424-1
https://notcve.org/view.php?id=CVE-2021-28834
19 Mar 2021 — Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated. Kramdown versiones anteriores a 2.3.1, no restringe los formateadores Rouge al espacio de nombres de Rouge::Formatters, y por lo tanto, pueden ser instancializadas clases arbitrarias It was discovered that kramdown did not restrict Rouge formatters to the correct namespace. An attacker could use this issue to cause kramdown to execute arbitrary code. • https://github.com/gettalong/kramdown/compare/REL_2_3_0...REL_2_3_1 •
CVSS: 9.8EPSS: 4%CPEs: 6EXPL: 0CVE-2020-14001 – Debian Security Advisory 4743-1
https://notcve.org/view.php?id=CVE-2020-14001
17 Jul 2020 — The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum. La gema kramdown versiones anteriores a 2.3.0 para Ruby procesa la opción de plantilla dentro de los documentos de Kramdown por defecto, lo que permi... • https://github.com/gettalong/kramdown • CWE-862: Missing Authorization •