ADVISORIES
GEM
SEVERITY
CVSS v3.x: 6.1 (Medium)
PATCHED VERSIONS
- >= 0.13.10
DESCRIPTION
Stored cross-site scripting (XSS) vulnerability in "geminabox" (Gem in a Box) allows attackers to inject arbitrary web script via a crafted JavaScript URL in the "homepage" value of a ".gemspec" file.
A ".gemspec" file must be created with a JavaScript URL in the homepage value. This can be used to build a gem for upload to the Geminabox server, in order to achieve stored XSS via the gem hyperlink.