RedCloth Cross-site Scripting vulnerability
Published: October 24, 2017
SECURITY IDENTIFIERS
- CVE: CVE-2012-6684 (NVD)
- GHSA: GHSA-r23g-3qw4-gfh2
- Vendor Advisory: http://co3k.org/blog/redcloth-unfixed-xss-en
GEM
SEVERITY
CVSS v2.0: 4.3 (Medium)
PATCHED VERSIONS
>= 4.3.0
DESCRIPTION
Cross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9 for Ruby and earlier allows remote attackers to inject arbitrary web script or HTML via a "javascript:" URI.
RELATED
- https://nvd.nist.gov/vuln/detail/CVE-2012-6684
- http://co3k.org/blog/redcloth-unfixed-xss-en
- https://gist.github.com/co3k/75b3cb416c342aa1414c
- https://github.com/jgarber/redcloth/commit/b24f03db023d1653d60dd33b28e09317cd77c6a0
- https://github.com/advisories/GHSA-r23g-3qw4-gfh2
- http://seclists.org/fulldisclosure/2014/Dec/50
- http://www.debian.org/security/2015/dsa-3168
- https://web.archive.org/web/20150128115714/http://jgarber.lighthouseapp.com/projects/13054-redcloth/tickets/243-xss