CVE-2019-10010

{"id": "CVE-2019-10010", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2019-03-24T18:29:00.270", "references": [{"url": "https://github.com/thephpleague/commonmark/issues/353", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/thephpleague/commonmark/releases/tag/0.18.3", "tags": ["Release Notes", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the PHP League CommonMark library before 0.18.3 allows remote attackers to insert unsafe links into HTML by using double-encoded HTML entities that are not properly escaped during rendering, a different vulnerability than CVE-2018-20583."}, {"lang": "es", "value": "Vulnerabilidad Cross-Site Scripting (XSS) en la librer\u00eda PHP League CommonMark, en versiones anteriores a la 0.18.3, permite que los atacantes remotos inserten enlaces inseguros en HTML mediante el uso de entidades HTML doblemente cifradas que no se escapan correctamente durante el renderizado. Esta vulnerabilidad es diferente de CVE-2018-20583."}], "lastModified": "2019-03-26T19:03:08.470", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:thephpleague:commonmark:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "098433E7-BD98-4DDE-BFAE-D7A87A245853", "versionEndExcluding": "0.18.3"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}