GHSA-xmr7-v725-2jjr

Suggest an improvement
Source
https://github.com/advisories/GHSA-xmr7-v725-2jjr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-xmr7-v725-2jjr/GHSA-xmr7-v725-2jjr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-xmr7-v725-2jjr
Aliases
Published
2021-08-25T20:52:12Z
Modified
2023-11-08T04:05:25.341735Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Cross site scripting in comrak
Details

An issue was discovered in the comrak crate before 0.9.1 for Rust. Cross site scripting (XSS) can occur because the protection mechanism for data: and javascript: URIs is case-sensitive, allowing (for example) Data: to be used in an attack.

Database specific 
{
    "nvd_published_at": null,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-19T17:34:25Z"
}
References

Affected packages

crates.io / comrak

Package

Name
comrak
View open source insights on deps.dev
Purl
pkg:cargo/comrak

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.9.1