GHSA-R5JW-62XG-J433

Vulnerability from github – Published: 2020-05-28 21:10 – Updated: 2021-09-23 13:55
VLAI?
Summary
Cross-Site Scripting in Kaminari
Details

Impact

In Kaminari before 1.2.1, there is a vulnerability that would allow an attacker to inject arbitrary code into pages with pagination links. This has been fixed in 1.2.1.

Releases

The 1.2.1 gem including the patch has already been released. All past released versions are affected by this vulnerability.

Workarounds

Application developers who can't update the gem can workaround by overriding the PARAM_KEY_EXCEPT_LIST constant.

module Kaminari::Helpers
  PARAM_KEY_EXCEPT_LIST = [:authenticity_token, :commit, :utf8, :_method, :script_name, :original_script_name].freeze
end

Credits

Thanks to Daniel Mircea for finding the issue and sending a patch via GitHub. Also thanks to Aditya Prakash for reporting the vulnerability.

Severity ?
6.4 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "kaminari"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-11082"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-05-28T21:05:32Z",
    "nvd_published_at": "2020-05-28T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nIn Kaminari before 1.2.1, there is a vulnerability that would allow an attacker to inject arbitrary code into pages with pagination links. This has been fixed in 1.2.1.\n\n### Releases\nThe 1.2.1 gem including the patch has already been released.\nAll past released versions are affected by this vulnerability.\n\n### Workarounds\nApplication developers who can\u0027t update the gem can workaround by overriding the `PARAM_KEY_EXCEPT_LIST` constant.\n\n```ruby\nmodule Kaminari::Helpers\n  PARAM_KEY_EXCEPT_LIST = [:authenticity_token, :commit, :utf8, :_method, :script_name, :original_script_name].freeze\nend\n```\n\n### Credits\nThanks to Daniel Mircea for finding the issue and sending a patch via GitHub. Also thanks to Aditya Prakash for reporting the vulnerability.",
  "id": "GHSA-r5jw-62xg-j433",
  "modified": "2021-09-23T13:55:11Z",
  "published": "2020-05-28T21:10:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kaminari/kaminari/security/advisories/GHSA-r5jw-62xg-j433"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11082"
    },
    {
      "type": "WEB",
      "url": "https://github.com/github/advisory-review/pull/1020"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kaminari/kaminari/commit/8dd52a1aed3d2fa2835d836de23fc0d8c4ff5db8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kaminari/kaminari"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/kaminari/CVE-2020-11082.yml"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00011.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-5005"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cross-Site Scripting in Kaminari"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.