2 results (0.017 seconds)

CVSS: 9.8EPSS: 2%CPEs: 5EXPL: 1

Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated. Kramdown versiones anteriores a 2.3.1, no restringe los formateadores Rouge al espacio de nombres de Rouge::Formatters, y por lo tanto, pueden ser instancializadas clases arbitrarias • https://github.com/gettalong/kramdown/compare/REL_2_3_0...REL_2_3_1 https://github.com/gettalong/kramdown/pull/708 https://gitlab.com/gitlab-org/gitlab/-/commit/179329b5c3c118924fb242dc449d06b4ed6ccb66 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJCJVYHPY6LNUFM6LYZIAUIYOMVT5QGV https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S3BBLUIDCUUR3NEE4NJLOCCAV3ALQ3O6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro •

CVSS: 9.8EPSS: 1%CPEs: 6EXPL: 0

The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum. La gema kramdown versiones anteriores a 2.3.0 para Ruby procesa la opción de plantilla dentro de los documentos de Kramdown por defecto, lo que permite el acceso de lectura no deseada (tal y como template="/etc/passwd") o la ejecución de código Ruby insertado no previsto (tal y como una cadena que comienza con template="string://(%= "). NOTA: kramdown es usado en Jekyll, GitLab Pages, GitHub Pages y Thredded Forum • https://github.com/gettalong/kramdown https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde https://github.com/gettalong/kramdown/compare/REL_2_2_1...REL_2_3_0 https://kramdown.gettalong.org https://kramdown.gettalong.org/news.html https://lists.apache.org/thread.html/r96df7899fbb456fe2705882f710a0c8e8614b573fbffd8d12e3f54d2%40%3Cnotifications.fluo.apache.org%3E https://lists.debian.org/debian-lts-announce/2020/08/msg00014.html https://lists.fedoraproject.org/archives/list/package-announ • CWE-862: Missing Authorization •