GHSA-r5jw-62xg-j433
Suggest an improvement- Source
- https://github.com/advisories/GHSA-r5jw-62xg-j433
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-r5jw-62xg-j433/GHSA-r5jw-62xg-j433.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-r5jw-62xg-j433
- Aliases
- Published
- 2020-05-28T21:10:11Z
- Modified
- 2023-11-08T04:02:05.309096Z
- Severity
-
- 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L CVSS Calculator
- Summary
- Cross-Site Scripting in Kaminari
- Details
-
Impact
In Kaminari before 1.2.1, there is a vulnerability that would allow an attacker to inject arbitrary code into pages with pagination links. This has been fixed in 1.2.1.
Releases
The 1.2.1 gem including the patch has already been released. All past released versions are affected by this vulnerability.
Workarounds
Application developers who can't update the gem can workaround by overriding the
PARAM_KEY_EXCEPT_LISTconstant.module Kaminari::Helpers PARAM_KEY_EXCEPT_LIST = [:authenticity_token, :commit, :utf8, :_method, :script_name, :original_script_name].freeze endCredits
Thanks to Daniel Mircea for finding the issue and sending a patch via GitHub. Also thanks to Aditya Prakash for reporting the vulnerability.
- Database specific
{ "nvd_published_at": "2020-05-28T21:15:00Z", "github_reviewed_at": "2020-05-28T21:05:32Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-79" ] }- References
-
- https://github.com/kaminari/kaminari/security/advisories/GHSA-r5jw-62xg-j433
- https://nvd.nist.gov/vuln/detail/CVE-2020-11082
- https://github.com/github/advisory-review/pull/1020
- https://github.com/kaminari/kaminari/commit/8dd52a1aed3d2fa2835d836de23fc0d8c4ff5db8
- https://github.com/kaminari/kaminari
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/kaminari/CVE-2020-11082.yml
- https://lists.debian.org/debian-lts-announce/2021/09/msg00011.html
- https://www.debian.org/security/2021/dsa-5005
Affected packages
RubyGems / kaminari
Package
- Name
- kaminari
- Purl
- pkg:gem/kaminari
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.2.1
Affected versions
0.*
0.1.0
0.2.0
0.2.1
0.3.0
0.4.0
0.5.0
0.6.0
0.6.1
0.7.0
0.8.0
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
0.9.10
0.9.12
0.9.13
0.10.0
0.10.1
0.10.2
0.10.3
0.10.4
0.11.0
0.12.0
0.12.1
0.12.2
0.12.3
0.12.4
0.13.0
0.14.0
0.14.1
0.15.0
0.15.1
0.16.0
0.16.1
0.16.2
0.16.3
0.17.0
1.*
1.0.0.beta2
1.0.0.rc1
1.0.0
1.0.1
1.1.0
1.1.1
1.2.0