CVE-2013-0256: XSS
First published: Tue Feb 05 2013(Updated: )
A cross-site scripting (XSS) flaw was found in the way Darkfish Rdoc HTML generator / template of RDoc, HTML and command-line documentation producing tool for Ruby, performed sanitization of certain values when creating Rdoc documentation. When Ruby on Rails application exposed its documentation via network, a remote attacker could provide a specially-crafted URL that, when opened would lead to arbitrary web script or HTML code execution in the context of (particular Ruby on Rails application) user's session. This issue affects RDoc versions 2.3.0 to 3.12.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/RDoc | <3.9.5 | 3.9.5 |
| redhat/RDoc | <3.12.1 | 3.12.1 |
| redhat/RDoc | <4.0.0. | 4.0.0. |
| Ruby RDoc | >=2.3.0<3.12 | |
| Ruby RDoc | =4.0.0-preview2 | |
| Ruby | =1.9 | |
| Ruby | =1.9.1 | |
| Ruby | =1.9.2 | |
| Ruby | =1.9.3 | |
| Ruby | =1.9.3-p0 | |
| Ruby | =1.9.3-p125 | |
| Ruby | =1.9.3-p194 | |
| Ruby | =1.9.3-p286 | |
| Ruby | =1.9.3-p383 | |
| Ruby | =2.0 | |
| Ruby | =2.0.0 | |
| Ruby | =2.0.0-rc1 | |
| Ruby | =2.0.0-rc2 | |
| Ubuntu | =12.04 | |
| Ubuntu | =12.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.ruby-lang.org/en/news/2013/02/06/rdoc-xss-cve-2013-0256/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=908358
- https://github.com/rdoc/rdoc/commit/ffa87887ee0517793df7541629a470e331f9fe60
- http://blog.segment7.net/2013/02/06/rdoc-xss-vulnerability-cve-2013-0256-releases-3-9-5-3-12-1-4-0-0-rc-2
- https://rhn.redhat.com/errata/RHSA-2013-0548.html
- https://rhn.redhat.com/errata/RHSA-2013-0686.html
- https://rhn.redhat.com/errata/RHSA-2013-0701.html
- https://rhn.redhat.com/errata/RHSA-2013-0728.html
- https://bugzilla.redhat.com/show_bug.cgi?id=907820
- http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html
- http://lists.opensuse.org/opensuse-updates/2013-02/msg00048.html
- http://rhn.redhat.com/errata/RHSA-2013-0548.html
- http://rhn.redhat.com/errata/RHSA-2013-0686.html
- http://rhn.redhat.com/errata/RHSA-2013-0701.html
- http://rhn.redhat.com/errata/RHSA-2013-0728.html
- http://secunia.com/advisories/52774
- http://www.ubuntu.com/usn/USN-1733-1
Frequently Asked Questions
What is the severity of CVE-2013-0256?
CVE-2013-0256 has been assigned a medium severity level due to potential cross-site scripting vulnerabilities.
How do I fix CVE-2013-0256?
To fix CVE-2013-0256, update RDoc to version 3.9.6 or higher, or any version above 4.0.0.
What software is affected by CVE-2013-0256?
CVE-2013-0256 affects RDoc versions up to 3.9.5, 3.12.1, and 4.0.0-preview2, as well as several Ruby versions.
How does CVE-2013-0256 exploit work?
CVE-2013-0256 exploits a cross-site scripting flaw in the sanitization process during RDoc documentation generation.
Can CVE-2013-0256 affect my Ruby on Rails application?
Yes, if your Ruby on Rails application exposes its RDoc documentation without proper sanitization, it can be vulnerable to CVE-2013-0256.
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/severity
- agent/author
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-0256
- agent/software-canonical-lookup
- agent/weakness
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/ruby-lang
- canonical/ruby rdoc
- version/ruby rdoc/2.3.0
- version/ruby rdoc/4.0.0-preview2
- canonical/ruby
- version/ruby/1.9
- version/ruby/1.9.1
- version/ruby/1.9.2
- version/ruby/1.9.3
- version/ruby/1.9.3-p0
- version/ruby/1.9.3-p125
- version/ruby/1.9.3-p194
- version/ruby/1.9.3-p286
- version/ruby/1.9.3-p383
- version/ruby/2.0
- version/ruby/2.0.0
- version/ruby/2.0.0-rc1
- version/ruby/2.0.0-rc2
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/12.04
- version/ubuntu/12.10