[Secure-testing-team] Bug#879098: mistune: CVE-2017-15612: cross-site scripting vulnerablity
Salvatore Bonaccorso
carnil at debian.org
Thu Oct 19 11:45:29 UTC 2017
Source: mistune
Version: 0.7.4-1
Severity: important
Tags: patch security upstream
Control: found -1 0.7.3-1
Hi,
the following vulnerability was published for mistune.
CVE-2017-15612[0]:
| mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such
| as in java\nscript:) or a crafted email address, related to the escape
| and autolink functions.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-15612
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15612
[1] https://github.com/lepture/mistune/pull/140
Regards,
Salvatore
More information about the Secure-testing-team
mailing list