CVE-2018-20583 - XSS Vulnerability in league/commonmark


A cross-site scripting (XSS) vulnerability was found in the PHP League's CommonMark library (league/commonmark) versions 0.15.6 through 0.18.x before 0.18.1. It allows remote attackers to insert unsafe URLs into <a> tags (even if allow_unsafe_links is false) by adding an encoded newline character in the middle (e.g., writing javascript as javascri%0Apt).

Version 0.18.1 has been released to fix this issue. All users are strongly encouraged to upgrade to this version.

For more details about the vulnerability, potential impact, and the solution please see the library's official announcement here about CVE-2018-20583.

About Colin O'Dell

Colin O'Dell

Colin O'Dell is a Senior Software Engineer at SeatGeek. In addition to being an active member of the PHP League and maintainer of the league/commonmark project, Colin is also a PHP docs contributor, conference speaker, and author of the PHP 7 Migration Guide.