Published 17 days ago
Category: Code Injection
Source: GitHub
Severity: Moderate

Vulnerability in kramdown

Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 2.3.1

Unaffected Versions

< 1.16.0