Lucene search

RubySecRUBY:GEMIRRO-2017-16833

HistoryJul 10, 2017 - 9:00 p.m.

Stored XSS in "gemirro" via injection in Gemspec "homepage" value

2017-07-1021:00:00

RubySec

github.com

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

34.9%

JSON

Stored cross-site scripting (XSS) vulnerability in Gemirro allows
attackers to inject arbitrary web script via a crafted JavaScript URL
in the “homepage” value of a “.gemspec” file.

A “.gemspec” file must be created with a JavaScript URL in the homepage
value. This can be used to build a gem for upload to the Gemirro server,
in order to achieve stored XSS via the author name hyperlink.

Affected configurations

Vulners

Node

rubygemirroRange≤0.15.0

VendorProductVersionCPE
rubygemirro*cpe:2.3:a:ruby:gemirro:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ruby	gemirro	*	cpe:2.3:a:ruby:gemirro::::::::

References

github.com/PierreRambaud/gemirro/commit/9659f9b7ce15a723da8e361bd41b9203b19c97de

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

34.9%

JSON

Related for RUBY:GEMIRRO-2017-16833