Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at

Advisory Archive


gem: geminabox
date: 2017-11-10
cve: 2017-16792
title: Stored XSS in "geminabox" via injection in Gemspec "homepage" value
description: |
  Stored cross-site scripting (XSS) vulnerability in "geminabox" (Gem
  in a Box) allows attackers to inject arbitrary web script via a crafted
  JavaScript URL in the "homepage" value of a ".gemspec" file.

  A ".gemspec" file must be created with a JavaScript URL in the homepage
  value. This can be used to build a gem for upload to the Geminabox server,
  in order to achieve stored XSS via the gem hyperlink.
- ">= 0.13.10"
  url: '["",