Python-Markdown2 Project: >> Python-Markdown2 >> 1.4.1 Security Vulnerabilities
python-markdown2 through 2.3.8 allows XSS because element names are mishandled unless a \w+ match succeeds. For example, an attack might use elementname@ or elementname- with an onclick attribute.
CVSS Score
6.1
EPSS Score
0.008
Published
2020-04-20
An issue was discovered in markdown2 (aka python-markdown2) through 2.3.5. The safe_mode feature, which is supposed to sanitize user input against XSS, is flawed and does not escape the input properly. With a crafted payload, XSS can be triggered, as demonstrated by omitting the final '>' character from an IMG tag.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-01-18