Описание
An issue was discovered in the gon gem before gon-6.4.0 for Ruby. MultiJson does not honor the escape_mode parameter to escape fields as an XSS protection mechanism. To mitigate, json_dumper.rb in gon now does escaping for XSS by default without relying on MultiJson.
Ссылки
- PatchThird Party Advisory
- Mailing ListThird Party Advisory
- Third Party Advisory
- PatchThird Party Advisory
- Mailing ListThird Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 6.4.0 (исключая)
cpe:2.3:a:gon_project:gon:*:*:*:*:*:ruby:*:*
Конфигурация 2
Одно из
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
EPSS
Процентиль: 73%
0.00763
Низкий
6.1 Medium
CVSS3
4.3 Medium
CVSS2
Дефекты
CWE-79
Связанные уязвимости
CVSS3: 6.1
ubuntu
больше 5 лет назад
An issue was discovered in the gon gem before gon-6.4.0 for Ruby. MultiJson does not honor the escape_mode parameter to escape fields as an XSS protection mechanism. To mitigate, json_dumper.rb in gon now does escaping for XSS by default without relying on MultiJson.
CVSS3: 6.1
debian
больше 5 лет назад
An issue was discovered in the gon gem before gon-6.4.0 for Ruby. Mult ...
CVSS3: 6.1
github
почти 5 лет назад
Gon gem lack of escaping certain input when outputting as JSON
EPSS
Процентиль: 73%
0.00763
Низкий
6.1 Medium
CVSS3
4.3 Medium
CVSS2
Дефекты
CWE-79