CVE-2017-16876 — Cross-site Scripting in Project Mistune

CWE-79 — Cross-site Scripting9 documents5 sources

Severity

6.1MEDIUMNVD

OSV9.8

EPSS

0.2%

top 54.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mistune Project Mistune Redhat Ansible Debian Mistune +1 more

Timeline

PublishedDec 29

Latest updateJul 24

Description

Cross-site scripting (XSS) vulnerability in the _keyify function in mistune.py in Mistune before 0.8.1 allows remote attackers to inject arbitrary web script or HTML by leveraging failure to escape the "key" argument.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages5 packages

▶debiandebian/mistune< mistune 0.8.1-1 (bookworm)

▶NVDmistune_project/mistune< 0.8.1

▶PyPImistune_project/mistune< 0.8.1

▶Debianmistune_project/mistune< 0.8.1-1+3

▶Ubunturedhat/ansible< 2.0.0.2-2ubuntu1.3+1

Also affects: Fedora 26

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

ansible vulnerabilities↗2019-07-24

▶

GHSA

mistune Cross-site scripting (XSS) vulnerability↗2019-01-04

▶

OSV

mistune Cross-site scripting (XSS) vulnerability↗2019-01-04

▶

OSV

CVE-2017-16876: Cross-site scripting (XSS) vulnerability in the _keyify function in mistune↗2017-12-29

▶

📋Vendor Advisories

Debian

CVE-2017-16876: mistune - Cross-site scripting (XSS) vulnerability in the _keyify function in mistune.py i...↗2017

▶

💬Community

Bugzilla

CVE-2017-16876 python-mistune: Cross-site-scripting [epel-7]↗2017-12-11

▶

Bugzilla

CVE-2017-16876 python-mistune: Cross-site-scripting↗2017-12-11

▶

Bugzilla

CVE-2017-16876 python-mistune: Cross-site-scripting [fedora-all]↗2017-12-11

▶