CVE-2013-0256: XSS
First published: Tue Feb 05 2013(Updated: )
A cross-site scripting (XSS) flaw was found in the way Darkfish Rdoc HTML generator / template of RDoc, HTML and command-line documentation producing tool for Ruby, performed sanitization of certain values when creating Rdoc documentation. When Ruby on Rails application exposed its documentation via network, a remote attacker could provide a specially-crafted URL that, when opened would lead to arbitrary web script or HTML code execution in the context of (particular Ruby on Rails application) user's session. This issue affects RDoc versions 2.3.0 to 3.12.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/RDoc | <3.9.5 | 3.9.5 |
| redhat/RDoc | <3.12.1 | 3.12.1 |
| redhat/RDoc | <4.0.0. | 4.0.0. |
| Ruby-lang Rdoc | >=2.3.0<3.12 | |
| Ruby-lang Rdoc | =4.0.0-preview2 | |
| Ruby-lang Ruby | =1.9 | |
| Ruby-lang Ruby | =1.9.1 | |
| Ruby-lang Ruby | =1.9.2 | |
| Ruby-lang Ruby | =1.9.3 | |
| Ruby-lang Ruby | =1.9.3-p0 | |
| Ruby-lang Ruby | =1.9.3-p125 | |
| Ruby-lang Ruby | =1.9.3-p194 | |
| Ruby-lang Ruby | =1.9.3-p286 | |
| Ruby-lang Ruby | =1.9.3-p383 | |
| Ruby-lang Ruby | =2.0 | |
| Ruby-lang Ruby | =2.0.0 | |
| Ruby-lang Ruby | =2.0.0-rc1 | |
| Ruby-lang Ruby | =2.0.0-rc2 | |
| Canonical Ubuntu Linux | =12.04 | |
| Canonical Ubuntu Linux | =12.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.ruby-lang.org/en/news/2013/02/06/rdoc-xss-cve-2013-0256/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=908358
- https://github.com/rdoc/rdoc/commit/ffa87887ee0517793df7541629a470e331f9fe60
- http://blog.segment7.net/2013/02/06/rdoc-xss-vulnerability-cve-2013-0256-releases-3-9-5-3-12-1-4-0-0-rc-2
- https://rhn.redhat.com/errata/RHSA-2013-0548.html
- https://rhn.redhat.com/errata/RHSA-2013-0686.html
- https://rhn.redhat.com/errata/RHSA-2013-0701.html
- https://rhn.redhat.com/errata/RHSA-2013-0728.html
- https://bugzilla.redhat.com/show_bug.cgi?id=907820
- http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html
- http://lists.opensuse.org/opensuse-updates/2013-02/msg00048.html
- http://rhn.redhat.com/errata/RHSA-2013-0548.html
- http://rhn.redhat.com/errata/RHSA-2013-0686.html
- http://rhn.redhat.com/errata/RHSA-2013-0701.html
- http://rhn.redhat.com/errata/RHSA-2013-0728.html
- http://secunia.com/advisories/52774
- http://www.ubuntu.com/usn/USN-1733-1
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/severity
- agent/author
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-0256
- agent/software-canonical-lookup
- agent/weakness
- agent/tags
- agent/event
- vendor/ruby-lang
- canonical/ruby-lang rdoc
- version/ruby-lang rdoc/2.3.0
- version/ruby-lang rdoc/4.0.0-preview2
- canonical/ruby-lang ruby
- version/ruby-lang ruby/1.9
- version/ruby-lang ruby/1.9.1
- version/ruby-lang ruby/1.9.2
- version/ruby-lang ruby/1.9.3
- version/ruby-lang ruby/1.9.3-p0
- version/ruby-lang ruby/1.9.3-p125
- version/ruby-lang ruby/1.9.3-p194
- version/ruby-lang ruby/1.9.3-p286
- version/ruby-lang ruby/1.9.3-p383
- version/ruby-lang ruby/2.0
- version/ruby-lang ruby/2.0.0
- version/ruby-lang ruby/2.0.0-rc1
- version/ruby-lang ruby/2.0.0-rc2
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/12.04
- version/canonical ubuntu linux/12.10
- package-manager/redhat