RubySec

Providing security resources for the Ruby community

CVE-2017-16792 (geminabox): Stored XSS in "geminabox" via injection in Gemspec "homepage" value

ADVISORIES

GEM

geminabox

PATCHED VERSIONS

  • >= 0.13.10

DESCRIPTION

Stored cross-site scripting (XSS) vulnerability in “geminabox” (Gem in a Box) allows attackers to inject arbitrary web script via a crafted JavaScript URL in the “homepage” value of a “.gemspec” file.

A “.gemspec” file must be created with a JavaScript URL in the homepage value. This can be used to build a gem for upload to the Geminabox server, in order to achieve stored XSS via the gem hyperlink.