Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: easymon
date: 2018-11-09
url: https://github.com/basecamp/easymon/issues/26
cve: 2018-1000855
title: Reflected XSS in Firefox in check endpoint
description: |
  When passing an invalid check name as parameter to the endpoint where
  the easymon routes are mounted, a 406 response with a body that contains the invalid
  check name unescaped is returned. Malicious JavaScript can be injected into that
  invalid name and have it executed in Firefox
patched_versions:
- ">= 1.4.1"
related:
  url: '["https://github.com/basecamp/easymon/pull/25"]'