Search criteria
3 vulnerabilities found for haml by haml
FKIE_CVE-2017-1002201
Vulnerability from fkie_nvd - Published: 2019-10-15 18:15 - Updated: 2024-11-21 03:04
Severity ?
Summary
In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| haml | haml | * | |
| debian | debian_linux | 8.0 | |
| debian | debian_linux | 9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:haml:haml:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "BD7B8475-41D4-4A62-91BB-99A105EBA4F2",
"versionEndExcluding": "5.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like \u003c \u003e \" \u0027 must be escaped properly. In this case, the \u0027 character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code."
},
{
"lang": "es",
"value": "En haml versiones anteriores a la versi\u00f3n 5.0.0.beta.2, cuando se usa la entrada del usuario para realizar tareas en el servidor, los caracteres como ( ) \" \u0027 necesitan escaparse apropiadamente. En este caso, el car\u00e1cter \u0027 se perdi\u00f3. Un atacante puede manipular la entrada para introducir atributos adicionales, ejecutando potencialmente c\u00f3digo."
}
],
"id": "CVE-2017-1002201",
"lastModified": "2024-11-21T03:04:59.483",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-15T18:15:10.560",
"references": [
{
"source": "josh@bress.net",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2"
},
{
"source": "josh@bress.net",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00007.html"
},
{
"source": "josh@bress.net",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00028.html"
},
{
"source": "josh@bress.net",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202007-27"
},
{
"source": "josh@bress.net",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://snyk.io/vuln/SNYK-RUBY-HAML-20362"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00007.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00028.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202007-27"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://snyk.io/vuln/SNYK-RUBY-HAML-20362"
}
],
"sourceIdentifier": "josh@bress.net",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2017-1002201 (GCVE-0-2017-1002201)
Vulnerability from cvelistv5 – Published: 2019-10-15 17:35 – Updated: 2024-08-05 22:08
VLAI?
Summary
In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code.
Severity ?
No CVSS data available.
CWE
- Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| http://haml.info/ | haml |
Affected:
All versions prior to version 5.0.0.beta.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:08:11.499Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-RUBY-HAML-20362"
},
{
"name": "[debian-lts-announce] 20191110 [SECURITY] [DLA 1986-1] ruby-haml security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00007.html"
},
{
"name": "GLSA-202007-27",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202007-27"
},
{
"name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2864-1] ruby-haml security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "haml",
"vendor": "http://haml.info/",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 5.0.0.beta.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like \u003c \u003e \" \u0027 must be escaped properly. In this case, the \u0027 character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-29T14:06:09",
"orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"shortName": "dwf"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://snyk.io/vuln/SNYK-RUBY-HAML-20362"
},
{
"name": "[debian-lts-announce] 20191110 [SECURITY] [DLA 1986-1] ruby-haml security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00007.html"
},
{
"name": "GLSA-202007-27",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202007-27"
},
{
"name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2864-1] ruby-haml security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00028.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-assign@distributedweaknessfiling.org",
"ID": "CVE-2017-1002201",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "haml",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 5.0.0.beta.2"
}
]
}
}
]
},
"vendor_name": "http://haml.info/"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like \u003c \u003e \" \u0027 must be escaped properly. In this case, the \u0027 character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2",
"refsource": "MISC",
"url": "https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2"
},
{
"name": "https://snyk.io/vuln/SNYK-RUBY-HAML-20362",
"refsource": "CONFIRM",
"url": "https://snyk.io/vuln/SNYK-RUBY-HAML-20362"
},
{
"name": "[debian-lts-announce] 20191110 [SECURITY] [DLA 1986-1] ruby-haml security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00007.html"
},
{
"name": "GLSA-202007-27",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202007-27"
},
{
"name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2864-1] ruby-haml security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00028.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"assignerShortName": "dwf",
"cveId": "CVE-2017-1002201",
"datePublished": "2019-10-15T17:35:57",
"dateReserved": "2019-10-15T00:00:00",
"dateUpdated": "2024-08-05T22:08:11.499Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-1002201 (GCVE-0-2017-1002201)
Vulnerability from nvd – Published: 2019-10-15 17:35 – Updated: 2024-08-05 22:08
VLAI?
Summary
In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code.
Severity ?
No CVSS data available.
CWE
- Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| http://haml.info/ | haml |
Affected:
All versions prior to version 5.0.0.beta.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:08:11.499Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-RUBY-HAML-20362"
},
{
"name": "[debian-lts-announce] 20191110 [SECURITY] [DLA 1986-1] ruby-haml security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00007.html"
},
{
"name": "GLSA-202007-27",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202007-27"
},
{
"name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2864-1] ruby-haml security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "haml",
"vendor": "http://haml.info/",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 5.0.0.beta.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like \u003c \u003e \" \u0027 must be escaped properly. In this case, the \u0027 character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-29T14:06:09",
"orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"shortName": "dwf"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://snyk.io/vuln/SNYK-RUBY-HAML-20362"
},
{
"name": "[debian-lts-announce] 20191110 [SECURITY] [DLA 1986-1] ruby-haml security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00007.html"
},
{
"name": "GLSA-202007-27",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202007-27"
},
{
"name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2864-1] ruby-haml security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00028.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-assign@distributedweaknessfiling.org",
"ID": "CVE-2017-1002201",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "haml",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 5.0.0.beta.2"
}
]
}
}
]
},
"vendor_name": "http://haml.info/"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like \u003c \u003e \" \u0027 must be escaped properly. In this case, the \u0027 character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2",
"refsource": "MISC",
"url": "https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2"
},
{
"name": "https://snyk.io/vuln/SNYK-RUBY-HAML-20362",
"refsource": "CONFIRM",
"url": "https://snyk.io/vuln/SNYK-RUBY-HAML-20362"
},
{
"name": "[debian-lts-announce] 20191110 [SECURITY] [DLA 1986-1] ruby-haml security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00007.html"
},
{
"name": "GLSA-202007-27",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202007-27"
},
{
"name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2864-1] ruby-haml security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00028.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"assignerShortName": "dwf",
"cveId": "CVE-2017-1002201",
"datePublished": "2019-10-15T17:35:57",
"dateReserved": "2019-10-15T00:00:00",
"dateUpdated": "2024-08-05T22:08:11.499Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}