View Issue Details

IDProjectCategoryView StatusLast Update
0025675mantisbtsecuritypublic2019-04-21 02:53
Reporterdregad Assigned Todregad  
PriorityhighSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version2.12.1 
Target Version2.20.1Fixed in Version2.20.1 
Summary0025675: CVE-2019-10905: Update Parsedown library to 1.7.3
Description

Parsedown < 1.7.2 is vulnerable to attacks allowing users to inject arbitrary CSS classes into code blocks. This affects all MantisBT issues where Markdown processing is enabled.

For further details, see https://github.com/erusev/parsedown/issues/699

The problem was fixed in Parsedown 1.7.2, but due to a mislabeled released tag, 1.7.3 was released shortly thereafter.

TagsNo tags attached.

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: dependabot/composer/erusev/parsedown-1.7.3 72e34794

2019-04-02 22:40

dependabot[bot]

Committer: dregad


Details Diff
Bump erusev/parsedown from 1.7.1 to 1.7.3

Bumps [erusev/parsedown](https://github.com/erusev/parsedown) from 1.7.1 to 1.7.3.
- [Release notes](https://github.com/erusev/parsedown/releases)
- [Commits](https://github.com/erusev/parsedown/compare/1.7.1...1.7.3)

Signed-off-by: dependabot[bot] <support@dependabot.com>

Fixes 0025675

Signed-off-by: Damien Regad <dregad@mantisbt.org>
Affected Issues
0025675
mod - composer.lock Diff File