View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0025675 | mantisbt | security | public | 2019-04-04 04:24 | 2019-04-21 02:53 |
Reporter | dregad | Assigned To | dregad | ||
Priority | high | Severity | major | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Product Version | 2.12.1 | ||||
Target Version | 2.20.1 | Fixed in Version | 2.20.1 | ||
Summary | 0025675: CVE-2019-10905: Update Parsedown library to 1.7.3 | ||||
Description | Parsedown < 1.7.2 is vulnerable to attacks allowing users to inject arbitrary CSS classes into code blocks. This affects all MantisBT issues where Markdown processing is enabled. For further details, see https://github.com/erusev/parsedown/issues/699 The problem was fixed in Parsedown 1.7.2, but due to a mislabeled released tag, 1.7.3 was released shortly thereafter. | ||||
Tags | No tags attached. | ||||
MantisBT: dependabot/composer/erusev/parsedown-1.7.3 72e34794 2019-04-02 22:40 dependabot[bot] Committer: dregad Details Diff |
Bump erusev/parsedown from 1.7.1 to 1.7.3 Bumps [erusev/parsedown](https://github.com/erusev/parsedown) from 1.7.1 to 1.7.3. - [Release notes](https://github.com/erusev/parsedown/releases) - [Commits](https://github.com/erusev/parsedown/compare/1.7.1...1.7.3) Signed-off-by: dependabot[bot] <support@dependabot.com> Fixes 0025675 Signed-off-by: Damien Regad <dregad@mantisbt.org> |
Affected Issues 0025675 |
|
mod - composer.lock | Diff File |