{"id":"PYSEC-2017-18","details":"Cross-site scripting (XSS) vulnerability in the _keyify function in mistune.py in Mistune before 0.8.1 allows remote attackers to inject arbitrary web script or HTML by leveraging failure to escape the \"key\" argument.","aliases":["CVE-2017-16876","GHSA-98gj-wwxm-cj3h"],"modified":"2023-11-08T03:59:13.855357Z","published":"2017-12-29T15:29:00Z","references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NUR3GMHQBMA3UC4PFMCK6GCLOQC4LQQC/"},{"type":"FIX","url":"https://github.com/lepture/mistune/commit/5f06d724bc05580e7f203db2d4a4905fc1127f98"},{"type":"WEB","url":"https://github.com/lepture/mistune/blob/master/CHANGES.rst"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1524596"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-98gj-wwxm-cj3h"}],"affected":[{"package":{"name":"mistune","ecosystem":"PyPI","purl":"pkg:pypi/mistune"},"ranges":[{"type":"GIT","repo":"https://github.com/lepture/mistune","events":[{"introduced":"0"},{"fixed":"5f06d724bc05580e7f203db2d4a4905fc1127f98"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.8.1"}]}],"versions":["0.1.0","0.2.0","0.3.0","0.3.1","0.4","0.4.1","0.5","0.5.1","0.6","0.7","0.7.1","0.7.2","0.7.3","0.7.4","0.8"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/mistune/PYSEC-2017-18.yaml"}}],"schema_version":"1.7.3"}