Fluid Attacks Database

Description

XSS in python-markdown2 python-markdown2 through 2.3.8 allows XSS because element names are mishandled unless a \w+ match succeeds. For example, an attack might use elementname@ or elementname- with an onclick attribute.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	python-markdown2	>=0 <2.3.9-1	2.3.9-1
debian 14	python-markdown2	>=0 <2.3.9-1	2.3.9-1
debian 13	python-markdown2	>=0 <2.3.9-1	2.3.9-1
pypi	markdown2	>=0 <2.3.9	2.3.9
debian 12	python-markdown2	>=0 <2.3.9-1	2.3.9-1

Aliases

1. CVE-2020-118882. NVD-2020-118883. OSV-DEBIAN-2020-118884. OSV-2020-118885. GCVE-2020-118886. SECURITY-TRACKER-CVE-2020-11888

References

1. https://github.com/trentm/python-markdown2/issues/3482. https://github.com/pypa/advisory-database/tree/main/vulns/markdown2/PYSEC-2020-65.yaml3. https://lists.fedoraproject.org/archives/list/[email protected]/message/6XOAIRJJCZNJUALXDHSIGH5PS2H63A3J4. https://lists.fedoraproject.org/archives/list/[email protected]/message/AQLRBGRVRRZK7P5SFL2MNGXFX37YHJAV5. https://lists.fedoraproject.org/archives/list/[email protected]/message/PN6QSHRFZXRQAYZJQ4MOW5MKIXBYOMED6. http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00031.html7. http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00035.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.