Описание
Haml vulnerable to cross-site scripting
In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2017-1002201
- https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2
- https://github.com/haml/haml
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/haml/CVE-2017-1002201.yml
- https://lists.debian.org/debian-lts-announce/2019/11/msg00007.html
- https://lists.debian.org/debian-lts-announce/2021/12/msg00028.html
- https://security.gentoo.org/glsa/202007-27
- https://snyk.io/vuln/SNYK-RUBY-HAML-20362
Пакеты
haml
< 5.0.0
5.0.0
Связанные уязвимости
In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code.
In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code.
In haml versions prior to version 5.0.0.beta.2, when using user input ...