CVE-2019-10905: Code Injection

April 6, 2019 (updated August 2, 2019)

Parsedown, when safe mode is used and HTML markup is disabled, might allow attackers to execute arbitrary JavaScript code if a script (already running on the affected page) executes the contents of any element with a specific class. This occurs because spaces are permitted in code block infostrings, which interferes with the intended behavior of a single class name beginning with the language- substring.

References

github.com/erusev/parsedown/issues/699
nvd.nist.gov/vuln/detail/CVE-2019-10905

Detect and mitigate CVE-2019-10905 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →