gollum is vulnerable to cross-site scripting. The vulnerability exists because the breadcrumb
function of overview.rb
and page.rb
does not properly escape the element.to_s
and title.to_s
parameters before being rendered on the page, allowing an attacker to inject and execute malicious javascript through the url path.