ADVISORIES

• CVE-2017-14506 (NVD)
• GHSA-98hq-3qvg-pg78
• Vendor Advisory

GEM

geminabox

SEVERITY

CVSS v3.x: 5.4 (Medium)

PATCHED VERSIONS

• >= 0.13.6

DESCRIPTION

geminabox (aka Gem in a Box) before 0.13.6 is vulnerable to Cross-site Scripting (XSS), as demonstrated by uploading a gem file that has a crafted gem.homepage value in its .gemspec file.

RELATED

• https://github.com/geminabox/geminabox/blob/master/CHANGELOG.md
• https://github.com/geminabox/geminabox/commit/99aaae196c4fc6ae0df28e186ca1e493ae658e02