CVE-2020-26297: XSS in mdBook
This is a cross-post of the official security advisory. The official post contains a signed version with our PGP key, as well.
The Rust Security Response Working Group was recently notified of a security issue affecting the search feature of mdBook, which could allow an attacker to execute arbitrary JavaScript code on the page.
The CVE for this vulnerability is CVE-2020-26297.
References
- github.com/advisories/GHSA-gx5w-rrhp-f436
- github.com/rust-lang/mdBook
- github.com/rust-lang/mdBook/blob/master/CHANGELOG.md
- github.com/rust-lang/mdBook/commit/32abeef088e98327ca0dfccdad92e84afa9d2e9b
- github.com/rust-lang/mdBook/security/advisories/GHSA-gx5w-rrhp-f436
- groups.google.com/g/rustlang-security-announcements/c/3-sO6of29O0
- nvd.nist.gov/vuln/detail/CVE-2020-26297
- rustsec.org/advisories/RUSTSEC-2021-0001.html
Code Behaviors & Features
Detect and mitigate CVE-2020-26297 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →