RubySec

Providing security resources for the Ruby community

CVE-2017-16833 (gemirro): Stored XSS in "gemirro" via injection in Gemspec "homepage" value

ADVISORIES

GEM

gemirro

PATCHED VERSIONS

  • >= 0.15.0

DESCRIPTION

Stored cross-site scripting (XSS) vulnerability in Gemirro allows attackers to inject arbitrary web script via a crafted JavaScript URL in the “homepage” value of a “.gemspec” file.

A “.gemspec” file must be created with a JavaScript URL in the homepage value. This can be used to build a gem for upload to the Gemirro server, in order to achieve stored XSS via the author name hyperlink.