View Issue Details

IDProjectCategoryView StatusLast Update
0025675mantisbtsecuritypublic2019-04-21 02:53
ReporterdregadAssigned Todregad 
PriorityhighSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version2.12.1 
Target Version2.20.1Fixed in Version2.20.1 
Summary0025675: CVE-2019-10905: Update Parsedown library to 1.7.3
Description

Parsedown < 1.7.2 is vulnerable to attacks allowing users to inject arbitrary CSS classes into code blocks. This affects all MantisBT issues where Markdown processing is enabled.

For further details, see https://github.com/erusev/parsedown/issues/699

The problem was fixed in Parsedown 1.7.2, but due to a mislabeled released tag, 1.7.3 was released shortly thereafter.

TagsNo tags attached.

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: dependabot/composer/erusev/parsedown-1.7.3 72e34794

2019-04-03 02:40:37

dependabot[bot]


Committer: dregad Details Diff
Bump erusev/parsedown from 1.7.1 to 1.7.3

Bumps [erusev/parsedown](https://github.com/erusev/parsedown) from 1.7.1 to 1.7.3.
- [Release notes](https://github.com/erusev/parsedown/releases)
- [Commits](https://github.com/erusev/parsedown/compare/1.7.1...1.7.3)

Signed-off-by: dependabot[bot] <support@dependabot.com>

Fixes 0025675

Signed-off-by: Damien Regad <dregad@mantisbt.org>
Affected Issues
0025675
mod - composer.lock Diff File

Issue History

Date Modified Username Field Change
2019-04-04 04:24 dregad New Issue
2019-04-04 04:24 dregad Status new => assigned
2019-04-04 04:24 dregad Assigned To => dregad
2019-04-04 04:24 dregad Issue generated from: 0024297
2019-04-04 05:41 dregad Changeset attached => MantisBT dependabot/composer/erusev/parsedown-1.7.3 72e34794
2019-04-04 05:41 dregad Status assigned => resolved
2019-04-04 05:41 dregad Resolution open => fixed
2019-04-04 05:46 dregad Fixed in Version => 2.20.1
2019-04-04 05:46 dregad View Status private => public
2019-04-08 10:15 dregad Summary Update Parsedown library to 1.7.3 => CVE-2019-10905: Update Parsedown library to 1.7.3
2019-04-21 02:53 vboctor Status resolved => closed