CVE-2017-16833 (gemirro): Stored XSS in "gemirro" via injection in Gemspec "homepage" value

Stored XSS in "gemirro" via injection in Gemspec "homepage" value

Published: July 11, 2017

SECURITY IDENTIFIERS

CVE: CVE-2017-16833 (NVD)
GHSA: GHSA-x7p2-x2j6-mwhr
Vendor Advisory: https://github.com/PierreRambaud/gemirro/commit/9659f9b7ce15a723da8e361bd41b9203b19c97de

GEM

gemirro

SEVERITY

CVSS v3.x: 6.1 (Medium)

PATCHED VERSIONS

>= 0.15.0

DESCRIPTION

Stored cross-site scripting (XSS) vulnerability in Gemirro allows attackers to inject arbitrary web script via a crafted JavaScript URL in the "homepage" value of a ".gemspec" file.

A ".gemspec" file must be created with a JavaScript URL in the homepage value. This can be used to build a gem for upload to the Gemirro server, in order to achieve stored XSS via the author name hyperlink.

https://github.com/PierreRambaud/gemirro/commit/8acfb9ce9774128d535e2795d583242bb86d6ea8
https://github.com/PierreRambaud/gemirro/commit/8fa709b121b7e18fceda308917d0fb68dc1479c3
https://rubygems.org/gems/gemirro/versions/0.15.0

RubySec