CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-10010
https://notcve.org/view.php?id=CVE-2019-10010
Cross-site scripting (XSS) vulnerability in the PHP League CommonMark library before 0.18.3 allows remote attackers to insert unsafe links into HTML by using double-encoded HTML entities that are not properly escaped during rendering, a different vulnerability than CVE-2018-20583. Vulnerabilidad Cross-Site Scripting (XSS) en la librería PHP League CommonMark, en versiones anteriores a la 0.18.3, permite que los atacantes remotos inserten enlaces inseguros en HTML mediante el uso de entidades HTML doblemente cifradas que no se escapan correctamente durante el renderizado. Esta vulnerabilidad es diferente de CVE-2018-20583. • https://github.com/thephpleague/commonmark/issues/353 https://github.com/thephpleague/commonmark/releases/tag/0.18.3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-20583
https://notcve.org/view.php?id=CVE-2018-20583
Cross-site scripting (XSS) vulnerability in the PHP League CommonMark library versions 0.15.6 through 0.18.x before 0.18.1 allows remote attackers to insert unsafe URLs into HTML (even if allow_unsafe_links is false) via a newline character (e.g., writing javascript as javascri%0apt). Vulnerabilidad Cross-Site Scripting (XSS) en la biblioteca PHP League CommonMark, desde la versión 0.15.6 hasta las 0.18.x anteriores a la 0.18.1, permite que atacantes remotos inserten URL inseguras en HTML (incluso aunque allow_unsafe_links sea falso) mediante un carácter de nueva línea (p.ej., escribiendo JavaScript como javascri%0apt). • https://commonmark.thephpleague.com/changelog https://github.com/thephpleague/commonmark/issues/337 https://github.com/thephpleague/commonmark/releases/tag/0.18.1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •