CVE-2017-14506 (geminabox): Gem in a Box vulnerable to Cross-site Scripting

Gem in a Box vulnerable to Cross-site Scripting

Published: May 13, 2022

SECURITY IDENTIFIERS

CVE: CVE-2017-14506 (NVD)
GHSA: GHSA-98hq-3qvg-pg78
Vendor Advisory: http://baraktawily.blogspot.co.il/2017/09/gem-in-box-xss-vulenrability-cve-2017.html

GEM

geminabox

SEVERITY

CVSS v3.x: 5.4 (Medium)

PATCHED VERSIONS

>= 0.13.6

DESCRIPTION

geminabox (aka Gem in a Box) before 0.13.6 is vulnerable to Cross-site Scripting (XSS), as demonstrated by uploading a gem file that has a crafted gem.homepage value in its .gemspec file.

https://github.com/geminabox/geminabox/blob/master/CHANGELOG.md
https://github.com/geminabox/geminabox/commit/99aaae196c4fc6ae0df28e186ca1e493ae658e02

RubySec