Sha256: 616a27d443922bb177772fbb614eee644563909990b58d5ae7fd354c9e9fc760
Contents?: true
Size: 1.26 KB
Versions: 1
Compression:
Stored size: 1.26 KB
Contents
---
gem: kaminari
cve: 2020-11082
ghsa: r5jw-62xg-j433
url: https://github.com/kaminari/kaminari/security/advisories/GHSA-r5jw-62xg-j433
date: 2020-05-28
title: Cross-Site Scripting in Kaminari via `original_script_name` parameter
description: |-
### Impact
There was a vulnerability in versions of Kaminari that would allow an attacker to inject arbitrary code into pages with pagination links.
For example, an attacker could craft pagination links that link to other domain or host:
https://example.com/posts?page=4&original_script_name=https://another-host.example.com
In addition, an attacker could also craft pagination links that include JavaScript code that runs when a user clicks the link:
https://example.com/posts?page=4&original_script_name=javascript:alert(42)%3b//
### Releases
The 1.2.1 gem including the patch has already been released.
All past released versions are affected by this vulnerability.
### Workarounds
Application developers who can't update the gem can workaround by overriding the `PARAM_KEY_EXCEPT_LIST` constant.
```ruby
module Kaminari::Helpers
PARAM_KEY_EXCEPT_LIST = [:authenticity_token, :commit, :utf8, :_method, :script_name, :original_script_name].freeze
end
```
cvss_v3: 6.4
patched_versions:
- ">= 1.2.1"
Version data entries
1 entries across 1 versions & 1 rubygems
| Version | Path |
|---|---|
| bundler-audit-0.7.0.1 | data/ruby-advisory-db/gems/kaminari/CVE-2020-11082.yml |