CVE-2018-20583

NONE EPSS 72.7%
Published Dec 30, 20187y ago · Modified Jun 17, 20262w ago
Find Similar
Published Dec 30, 2018 7y ago
Last Modified Jun 17, 2026 2w ago

Description

Cross-site scripting (XSS) vulnerability in the PHP League CommonMark library versions 0.15.6 through 0.18.x before 0.18.1 allows remote attackers to insert unsafe URLs into HTML (even if allow_unsafe_links is false) via a newline character (e.g., writing javascript as javascri%0apt).

Threat Intelligence

EPSS Exploit Probability
72.7% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
thephpleaguecommonmark*≥0.15.6  –  ≤0.18.0

References 3

  • commonmark.thephpleague.com https://commonmark.thephpleague.com/changelog/
    Release NotesThird Party Advisory
  • github.com https://github.com/thephpleague/commonmark/issues/337
    ExploitThird Party Advisory
  • github.com https://github.com/thephpleague/commonmark/releases/tag/0.18.1
    Release NotesThird Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.