PyPI package
markdown2
pkg:pypi/markdown2
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-26813 | — | >= 1.0.1.18, < 2.4.0 | 2.4.0 | Mar 3, 2021 | markdown2 >=1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability. If an attacker provides a malicious string, it can make markdown2 processing difficult or delayed for an extended period of time. | ||
| CVE-2020-11888 | — | < 2.3.9 | 2.3.9 | Apr 20, 2020 | python-markdown2 through 2.3.8 allows XSS because element names are mishandled unless a \w+ match succeeds. For example, an attack might use elementname@ or elementname- with an onclick attribute. | ||
| CVE-2009-3724 | — | < 1.0.1.14 | 1.0.1.14 | Jan 15, 2020 | python-markdown2 before 1.0.1.14 has multiple cross-site scripting (XSS) issues. | ||
| CVE-2018-5773 | — | < 2.3.6 | 2.3.6 | Jan 18, 2018 | An issue was discovered in markdown2 (aka python-markdown2) through 2.3.5. The safe_mode feature, which is supposed to sanitize user input against XSS, is flawed and does not escape the input properly. With a crafted payload, XSS can be triggered, as demonstrated by omitting the |
- CVE-2021-26813Mar 3, 2021affected >= 1.0.1.18, < 2.4.0fixed 2.4.0
markdown2 >=1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability. If an attacker provides a malicious string, it can make markdown2 processing difficult or delayed for an extended period of time.
- CVE-2020-11888Apr 20, 2020affected < 2.3.9fixed 2.3.9
python-markdown2 through 2.3.8 allows XSS because element names are mishandled unless a \w+ match succeeds. For example, an attack might use elementname@ or elementname- with an onclick attribute.
- CVE-2009-3724Jan 15, 2020affected < 1.0.1.14fixed 1.0.1.14
python-markdown2 before 1.0.1.14 has multiple cross-site scripting (XSS) issues.
- CVE-2018-5773Jan 18, 2018affected < 2.3.6fixed 2.3.6
An issue was discovered in markdown2 (aka python-markdown2) through 2.3.5. The safe_mode feature, which is supposed to sanitize user input against XSS, is flawed and does not escape the input properly. With a crafted payload, XSS can be triggered, as demonstrated by omitting the