RubySec

Providing security resources for the Ruby community

CVE-2020-35305 (gollum): XSS via `filename` parameter to New Page dialog

ADVISORIES

GEM

gollum

SEVERITY

CVSS v3.x: 6.1 (Medium)

UNAFFECTED VERSIONS

  • < 5.0

PATCHED VERSIONS

  • >= 5.1.2

DESCRIPTION

Cross site scripting (XSS) in gollum 5.0 to 5.1.2 via the filename parameter to the 'New Page' dialog.

RELATED

Contact us @rubysec or open an issue on our GitHub repository.

Recent Advisories