Lucene search

RubySecRUBY:SMASHING-2021-35440

HistoryMay 23, 2022 - 9:00 p.m.

Smashing Cross-site Scripting vulnerability

2022-05-2321:00:00

RubySec

github.com

smashing 1.3.4

cross site scripting

xss

javascript

data theft

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

JSON

Smashing 1.3.4 is vulnerable to Cross Site Scripting (XSS). A URL for
a widget can be crafted and used to execute JavaScript on the victim’s computer.
The JavaScript code can then steal data available in the session/cookies depending
on the user environment (e.g. if re-using internal URL’s for deploying, or cookies
that are very permissive) private information may be retrieved by the attacker.

Affected configurations

Vulners

Node

rubysmashingRange≤1.3.5

VendorProductVersionCPE
rubysmashing*cpe:2.3:a:ruby:smashing:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ruby	smashing	*	cpe:2.3:a:ruby:smashing::::::::

References

github.com/Smashing/smashing/pull/186

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

JSON

Related for RUBY:SMASHING-2021-35440