CVE-2017-15612 — Cross-site Scripting in Project Mistune

CWE-79 — Cross-site Scripting8 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

0.1%

top 69.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mistune Project Mistune Debian Mistune

Timeline

PublishedOct 19

Latest updateMay 17

Description

mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such as in java\nscript:) or a crafted email address, related to the escape and autolink functions.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶debiandebian/mistune< mistune 0.8-1 (bookworm)

▶PyPImistune_project/mistune< 0.8

▶Debianmistune_project/mistune< 0.8-1+3

▶NVDmistune_project/mistune0.7.4

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Cross-site Scripting in Mistune↗2022-05-17

▶

OSV

Cross-site Scripting in Mistune↗2022-05-17

▶

OSV

CVE-2017-15612: mistune↗2017-10-19

▶

📋Vendor Advisories

Debian

CVE-2017-15612: mistune - mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such as in jav...↗2017

▶

💬Community

Bugzilla

CVE-2017-15612 python-mistune: XSS via an unexpected newline / crafted email address↗2017-10-23

▶

Bugzilla

CVE-2017-15612 python-mistune: XSS via an unexpected newline / crafted email address [fedora-all]↗2017-10-23

▶

Bugzilla

CVE-2017-15612 python-mistune: XSS via an unexpected newline / crafted email address [epel-7]↗2017-10-23

▶