Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the `:escape_html` option was being used. This is fixed in version 3.5.1 by the referenced commit.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26298
Reference (s):
- https://github.com/advisories/GHSA-q3wr-qw3g-3p4h
- URL: https://github.com/advisories/GHSA-q3wr-qw3g-3p4h
- DEBIAN:DSA-4831
- URL: https://www.debian.org/security/2021/dsa-4831
- https://github.com/vmg/redcarpet/blob/master/CHANGELOG.md#version-351-security