CVE-2020-5241 (matestack-ui-core): matestack-ui-core is vulnerable to XSS/Script injection

matestack-ui-core is vulnerable to XSS/Script injection

Published: February 10, 2020

SECURITY IDENTIFIERS

CVE: CVE-2020-5241 (NVD)
GHSA: GHSA-3jqw-vv45-mjhh
Vendor Advisory: https://github.com/matestack/matestack-ui-core/security/advisories/GHSA-3jqw-vv45-mjhh

GEM

matestack-ui-core

SEVERITY

CVSS v3.x: 9.8 (Critical)

CVSS v2.0: 10.0 (High)

PATCHED VERSIONS

>= 0.7.4

DESCRIPTION

matestack-ui-core does not excape strings by default and does not cover this in the docs. matestack-ui-core should escape strings by default in order to prevent XSS/Script injection vulnerability. v0.7.4 fixes that by escaping strings by default.

RubySec