FreeBSD : rubygem-redcarpet -- XSS vulnerability (c368155a-fa83-11e4-bc58-001e67150279)

high Nessus Plugin ID 83514

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

Daniel LeCheminant reports :

When markdown is being presented as HTML, there seems to be a strange interaction between _ and @ that lets an attacker insert malicious tags.

Solution

Update the affected package.

See Also

https://www.openwall.com/lists/oss-security/2015/04/07/11

https://hackerone.com/reports/46916

http://danlec.com/blog/bug-in-sundown-and-redcarpet

http://www.nessus.org/u?7a8325fd

Plugin Details

Severity: High

ID: 83514

File Name: freebsd_pkg_c368155afa8311e4bc58001e67150279.nasl

Version: 2.5

Type: local

Published: 5/18/2015

Updated: 1/6/2021

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:rubygem-redcarpet, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 5/14/2015

Vulnerability Publication Date: 4/7/2015