GHSA-r53w-g4xm-3gc6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-r53w-g4xm-3gc6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-r53w-g4xm-3gc6/GHSA-r53w-g4xm-3gc6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-r53w-g4xm-3gc6
- Aliases
- Published
- 2019-10-21T21:59:13Z
- Modified
- 2025-01-14T06:59:46.964666Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Haml vulnerable to cross-site scripting
- Details
-
In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like
< > " 'must be escaped properly. In this case, the'character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code. - Database specific
{ "severity": "MODERATE", "github_reviewed_at": "2019-10-16T15:18:02Z", "nvd_published_at": "2019-10-15T18:15:00Z", "github_reviewed": true, "cwe_ids": [ "CWE-79" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2017-1002201
- https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2
- https://github.com/haml/haml
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/haml/CVE-2017-1002201.yml
- https://lists.debian.org/debian-lts-announce/2019/11/msg00007.html
- https://lists.debian.org/debian-lts-announce/2021/12/msg00028.html
- https://security.gentoo.org/glsa/202007-27
- https://snyk.io/vuln/SNYK-RUBY-HAML-20362
Affected packages
RubyGems / haml
Package
- Name
- haml
- Purl
- pkg:gem/haml
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.0.0
Affected versions
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.5.0
1.5.1
1.5.2
1.7.0
1.7.1
1.7.2
1.8.0
1.8.1
1.8.2
2.*
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.8
2.2.9
2.2.10
2.2.11
2.2.12
2.2.13
2.2.14
2.2.15
2.2.16
2.2.17
2.2.18
2.2.19
2.2.20
2.2.21
2.2.22
2.2.23
2.2.24
3.*
3.0.0.beta.1
3.0.0.beta.2
3.0.0.beta.3
3.0.0.rc.1
3.0.0.rc.2
3.0.0.rc.3
3.0.0.rc.4
3.0.0.rc.5
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.9
3.0.10
3.0.11
3.0.12
3.0.13
3.0.14
3.0.15
3.0.16
3.0.17
3.0.18
3.0.21
3.0.22
3.0.23
3.0.24
3.0.25
3.1.0.alpha.2
3.1.0.alpha.5
3.1.0.alpha.9
3.1.0.alpha.10
3.1.0.alpha.12
3.1.0.alpha.14
3.1.0.alpha.17
3.1.0.alpha.18
3.1.0.alpha.19
3.1.0.alpha.22
3.1.0.alpha.23
3.1.0.alpha.26
3.1.0.alpha.27
3.1.0.alpha.28
3.1.0.alpha.30
3.1.0.alpha.33
3.1.0.alpha.36
3.1.0.alpha.37
3.1.0.alpha.141
3.1.0.alpha.144
3.1.0.alpha.145
3.1.0.alpha.147
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5.beta.1
3.1.5.rc.1
3.1.5
3.1.6.rc.1
3.1.6
3.1.7
3.1.8
3.2.0.alpha.2
3.2.0.alpha.3
3.2.0.alpha.4
3.2.0.alpha.5
3.2.0.alpha.8
3.2.0.alpha.10
3.2.0.alpha.13
3.2.0.alpha.14
3.2.0.beta.1
3.2.0.beta.2
3.2.0.beta.3
3.2.0.rc.1
3.2.0.rc.2
3.2.0.rc.3
3.2.0.rc.4
4.*
4.0.0.rc.1
4.0.0
4.0.1.rc.1
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.1.0.alpha.2
4.1.0.beta.1
5.*
5.0.0.beta.2