CVE-2018-1000162

{"id": "CVE-2018-1000162", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2018-04-18T19:29:00.583", "references": [{"url": "https://github.com/Roave/SecurityAdvisories/issues/44#issuecomment-368594409", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/erusev/parsedown/pull/495", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/Roave/SecurityAdvisories/issues/44#issuecomment-368594409", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/erusev/parsedown/pull/495", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Parsedown version prior to 1.7.0 contains a Cross Site Scripting (XSS) vulnerability in `setMarkupEscaped` for escaping HTML that can result in JavaScript code execution. This attack appears to be exploitable via specially crafted markdown that allows it to side step HTML escaping by breaking AST boundaries. This vulnerability appears to have been fixed in 1.7.0 and later."}, {"lang": "es", "value": "Parsedown, en versiones anteriores a la 1.7.0, contiene una vulnerabilidad de Cross-Site Scripting (XSS) en `setMarkupEscaped` para escapar HTML que puede resultar en la ejecuci\u00f3n de c\u00f3digo JavaScript. Este ataque parece ser explotable mediante un marcado especialmente manipulado que permite el escapado HTML lateral rompiendo los l\u00edmites de AST. La vulnerabilidad parece haber sido solucionada en las versiones 1.7.0 y siguientes."}], "lastModified": "2024-11-21T03:39:49.540", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:parsedown:parsedown:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "77E6B3A5-36E1-4EAB-AB3A-B0DE89846774", "versionEndExcluding": "1.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}