Stored Cross-Site Scripting via unescaped table header ID attributes in markdown
Summary
showdown contains a stored cross-site scripting vulnerability in the parseHeaders function of src/subParsers/makehtml/tables.js that fails to properly escape table header ID attributes. Attackers can inject arbitrary HTML and script-executing SVG elements through double-quote characters in markdown table headers, achieving stored XSS when untrusted markdown is rendered with the default github flavor configuration. A flaw was found in Showdown. This vulnerability, a stored cross-site scripting (XSS) issue, allows an attacker to inject malicious code into web pages. When untrusted markdown is processed, this can lead to the execution of malicious scripts in a user's web browser, potentially compromising user data or session integrity. Showdown, as integrated into Red Hat products, is susceptible to a stored cross-site scripting vulnerability. Affected versions: <= 2.1.0. Red Hat severity: Moderate — CVSS 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). Weakness: CWE-79. Affected Red Hat products: Cryostat 4; Multicluster Engine for Kubernetes; Node HealthCheck Operator; Red Hat 3scale API Management Platform 2; Red Hat Advanced Cluster Management for Kubernetes 2; Red Hat Ansible Automation Platform 2; Red Hat OpenShift AI (RHOAI); Red Hat OpenShift Container Platform 4; Red Hat OpenShift Virtualization 4; Red Hat Quay 3.
Mitigation checklist
- To mitigate this vulnerability, avoid rendering untrusted markdown content within applications utilizing Showdown. If processing untrusted markdown is unavoidable, ensure that all input is thoroughly sanitized before rendering to prevent the injection of malicious HTML or script-executing elements.
Official advisory · high-confidence parse· fetched 24 minutes ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.