Cross-Site Scripting Vulnerability in PHP League CommonMark Library
CVE-2019-10010

6.1MEDIUM

Key Information:

Vendor: ThePHPleague
Status: Commonmark
Vendor: CVE Published:; 24 March 2019

🔔 Create ThePHPleague Vulnerability Alert

What is CVE-2019-10010?

A cross-site scripting vulnerability exists in the PHP League CommonMark library prior to version 0.18.3. This flaw allows remote attackers to inject unsafe links into HTML documents by exploiting double-encoded HTML entities that are not correctly escaped during rendering. As a result, attackers can potentially execute malicious scripts in the context of the user's browser. It is crucial for developers utilizing this library to upgrade to the latest version to mitigate the risk of exploitation.

References

https://github.com/thephpleague/commonmark/issues/353

x_refsource_MISC

https://github.com/thephpleague/commonmark/releases/tag/0...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 24, 2019
Vulnerability Reserved
Mar 24, 2019