RubySec

Providing security resources for the Ruby community

OSVDB-120857 (refile): refile Gem for Ruby contains a remote code execution vulnerability

ADVISORIES

GEM

refile

UNAFFECTED VERSIONS

  • < 0.5.0

PATCHED VERSIONS

  • >= 0.5.4

DESCRIPTION

refile Gem for Ruby contains a flaw that is triggered when input is not sanitized when handling the 'remote_image_url' field in a form, where 'image' is the name of the attachment. This may allow a remote attacker to execute arbitrary shell commands.

RELATED