Search criteria
1 vulnerability by haml
CVE-2017-1002201 (GCVE-0-2017-1002201)
Vulnerability from cvelistv5 – Published: 2019-10-15 17:35 – Updated: 2024-08-05 22:08
VLAI?
Summary
In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code.
Severity ?
No CVSS data available.
CWE
- Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| http://haml.info/ | haml |
Affected:
All versions prior to version 5.0.0.beta.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:08:11.499Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-RUBY-HAML-20362"
},
{
"name": "[debian-lts-announce] 20191110 [SECURITY] [DLA 1986-1] ruby-haml security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00007.html"
},
{
"name": "GLSA-202007-27",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202007-27"
},
{
"name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2864-1] ruby-haml security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "haml",
"vendor": "http://haml.info/",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 5.0.0.beta.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like \u003c \u003e \" \u0027 must be escaped properly. In this case, the \u0027 character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-29T14:06:09",
"orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"shortName": "dwf"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://snyk.io/vuln/SNYK-RUBY-HAML-20362"
},
{
"name": "[debian-lts-announce] 20191110 [SECURITY] [DLA 1986-1] ruby-haml security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00007.html"
},
{
"name": "GLSA-202007-27",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202007-27"
},
{
"name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2864-1] ruby-haml security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00028.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-assign@distributedweaknessfiling.org",
"ID": "CVE-2017-1002201",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "haml",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 5.0.0.beta.2"
}
]
}
}
]
},
"vendor_name": "http://haml.info/"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like \u003c \u003e \" \u0027 must be escaped properly. In this case, the \u0027 character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2",
"refsource": "MISC",
"url": "https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2"
},
{
"name": "https://snyk.io/vuln/SNYK-RUBY-HAML-20362",
"refsource": "CONFIRM",
"url": "https://snyk.io/vuln/SNYK-RUBY-HAML-20362"
},
{
"name": "[debian-lts-announce] 20191110 [SECURITY] [DLA 1986-1] ruby-haml security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00007.html"
},
{
"name": "GLSA-202007-27",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202007-27"
},
{
"name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2864-1] ruby-haml security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00028.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"assignerShortName": "dwf",
"cveId": "CVE-2017-1002201",
"datePublished": "2019-10-15T17:35:57",
"dateReserved": "2019-10-15T00:00:00",
"dateUpdated": "2024-08-05T22:08:11.499Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}