GHSA-5m48-c37x-f792

Source

https://github.com/advisories/GHSA-5m48-c37x-f792

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-5m48-c37x-f792/GHSA-5m48-c37x-f792.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5m48-c37x-f792

Aliases

CVE-2013-4170

Published

2022-07-01T00:01:11Z

Modified

2024-02-20T05:33:44.894917Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Ember.js Potential XSS Exploit When Binding `tagName` to User-Supplied Data

Details

In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, the tagName property of an Ember.View was inserted into such a string without being sanitized. This means that if an application assigns a view's tagName to user-supplied data, a specially-crafted payload could execute arbitrary JavaScript in the context of the current domain ("XSS"). This vulnerability only affects applications that assign or bind user-provided content to tagName.

Database specific

{
    "nvd_published_at": "2022-06-30T13:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-12T21:27:47Z"
}

References

Affected packages

RubyGems / ember-source

Package

Name: ember-source
Purl: pkg:gem/ember-source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.0.rc1.1

Affected versions

0.*

0.0.1

0.0.2

0.0.3

0.0.4

0.0.5

0.0.6

0.0.7

0.0.8

0.0.9

1.*

1.0.0.pre4.0

1.0.0.pre4.1

1.0.0.pre4.2

1.0.0.rc1.0.0

Database specific

{
    "last_known_affected_version_range": "<= 1.0.0.rc1.0"
}

RubyGems / ember-source

Package

Name: ember-source
Purl: pkg:gem/ember-source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0.rc2.0

Fixed

1.0.0.rc2.1

Affected versions

1.*

1.0.0.rc2.0

RubyGems / ember-source

Package

Name: ember-source
Purl: pkg:gem/ember-source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0.rc3.0

Fixed

1.0.0.rc3.1

Affected versions

1.*

1.0.0.rc3.0

1.0.0.rc3

RubyGems / ember-source

Package

Name: ember-source
Purl: pkg:gem/ember-source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0.rc4.0

Fixed

1.0.0.rc4.1

Affected versions

1.*

1.0.0.rc4.0

1.0.0.rc4

RubyGems / ember-source

Package

Name: ember-source
Purl: pkg:gem/ember-source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0.rc5.0

Fixed

1.0.0.rc5.1

Affected versions

1.*

1.0.0.rc5.0

1.0.0.rc5

RubyGems / ember-source

Package

Name: ember-source
Purl: pkg:gem/ember-source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0.rc6.0

Fixed

1.0.0.rc6.1

Affected versions

1.*

1.0.0.rc6.0

1.0.0.rc6