Sha256: bacbe75bd776fb502589728794967bb0e793eb596a9c193d3e8672083cca7bec

Contents?: true

Size: 881 Bytes

Versions: 3

Compression:

Stored size: 881 Bytes

Contents

---
gem: geminabox
cve: 2017-16792
date: 2017-11-10
url: https://github.com/geminabox/geminabox/blob/master/CHANGELOG.md#01310-2017-11-13
title: Stored XSS in "geminabox" via injection in Gemspec "homepage" value
description: |
  Stored cross-site scripting (XSS) vulnerability in "geminabox" (Gem
  in a Box) allows attackers to inject arbitrary web script via a crafted
  JavaScript URL in the "homepage" value of a ".gemspec" file.

  A ".gemspec" file must be created with a JavaScript URL in the homepage
  value. This can be used to build a gem for upload to the Geminabox server,
  in order to achieve stored XSS via the gem hyperlink.

patched_versions:
  - ">= 0.13.10"
related:
  url:
    - https://github.com/geminabox/geminabox/commit/f8429a9e364658459add170e4ebc7a5d3b4759e7
    - https://github.com/geminabox/geminabox/commit/e7e0b16147677e9029f0b55eff6bc6dda52398d4

Version data entries

3 entries across 3 versions & 2 rubygems

Version Path
bundler-audit-0.7.0.1 data/ruby-advisory-db/gems/geminabox/CVE-2017-16792.yml
bundler-budit-0.6.2 data/ruby-advisory-db/gems/geminabox/CVE-2017-16792.yml
bundler-budit-0.6.1 data/ruby-advisory-db/gems/geminabox/CVE-2017-16792.yml