Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the `:escape_html` option was being used. This is fixed in version 3.5.1 by the referenced commit.
Created rubygem-redcarpet tracking bugs for this issue:
Affects: epel-all [bug 1915372]
Affects: fedora-all [bug 1915371]
Affects: openstack-rdo [bug 1915373]