Commonmark
Monthly
The DisallowedRawHtml extension in PHP Commonmark (league/commonmark) versions prior to 2.8.1 can be bypassed by injecting whitespace characters between HTML tag names and closing brackets, allowing malicious scripts to pass sanitization filters and execute in user browsers. Applications relying solely on this extension to sanitize untrusted markdown input are vulnerable to cross-site scripting attacks, though those using additional HTML sanitizers are unaffected. No patch is currently available for affected versions.
Cross-site scripting (XSS) vulnerability in the PHP League CommonMark library before 0.18.3 allows remote attackers to insert unsafe links into HTML by using double-encoded HTML entities that are not. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Cross-site scripting (XSS) vulnerability in the PHP League CommonMark library versions 0.15.6 through 0.18.x before 0.18.1 allows remote attackers to insert unsafe URLs into HTML (even if. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The DisallowedRawHtml extension in PHP Commonmark (league/commonmark) versions prior to 2.8.1 can be bypassed by injecting whitespace characters between HTML tag names and closing brackets, allowing malicious scripts to pass sanitization filters and execute in user browsers. Applications relying solely on this extension to sanitize untrusted markdown input are vulnerable to cross-site scripting attacks, though those using additional HTML sanitizers are unaffected. No patch is currently available for affected versions.
Cross-site scripting (XSS) vulnerability in the PHP League CommonMark library before 0.18.3 allows remote attackers to insert unsafe links into HTML by using double-encoded HTML entities that are not. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Cross-site scripting (XSS) vulnerability in the PHP League CommonMark library versions 0.15.6 through 0.18.x before 0.18.1 allows remote attackers to insert unsafe URLs into HTML (even if. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.