RubySec

Providing security resources for the Ruby community

CVE-2020-5241 (matestack-ui-core): matestack-ui-core is vulnerable to XSS/Script injection

ADVISORIES

GEM

matestack-ui-core

SEVERITY

CVSS v3: 9.8 (Critical)

CVSS v2: 10.0 (High)

PATCHED VERSIONS

  • >= 0.7.4

DESCRIPTION

matestack-ui-core does not excape strings by default and does not cover this in the docs. matestack-ui-core should escape strings by default in order to prevent XSS/Script injection vulnerability. v0.7.4 fixes that by escaping strings by default.