RubySec

Providing security resources for the Ruby community

CVE-2013-4318 (features): Features Gem for Ruby /tmp/out.html Local XSS

ADVISORIES

GEM

features

SEVERITY

CVSS v3.x: 5.4 (Medium)

PATCHED VERSIONS

None.

DESCRIPTION

Features Gem for Ruby contains a flaw that allows a local cross-site scripting (XSS) attack. This flaw exists because the application does not validate certain input upon submission to /tmp/out.html. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.