---
gem: rdoc
cve: 2013-0256
osvdb: 90004
url: http://www.osvdb.org/show/osvdb/90004
title: RDoc 2.3.0 through 3.12 XSS Exploit
date: 2013-02-06

description: |
  Doc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases
  up to rdoc 4.0.0.preview2.1 are vulnerable to an XSS exploit. This exploit
  may lead to cookie disclosure to third parties.
  
  The exploit exists in darkfish.js which is copied from the RDoc install
  location to the generated documentation.
  
  RDoc is a static documentation generation tool. Patching the library itself
  is insufficient to correct this exploit.
  
  This exploit was discovered by Evgeny Ermakov <corwmh@gmail.com>.

cvss_v2: 4.3

patched_versions:
  - ~> 3.9.5
  - ~> 3.12.1
  - ">= 4.0"