CVE-2013-0256 - Vulnerability Details

CVE-2013-0256 - rubygem-rdoc: Cross-site scripting in the documentation created by Darkfish Rdoc HTML generator / template

darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Canonical	Ubuntu Linux
Cloudforms Cloudengine	1
Redhat	Openshift
Rhel Sam	1.2
Ruby-lang	Rdoc Ruby

Configuration 1 [-]

OR	cpe:2.3:a:ruby-lang:rdoc::::::ruby::*
	cpe:2.3:a:ruby-lang:rdoc:4.0.0:preview2::::ruby::*
	cpe:2.3:a:ruby-lang:ruby:1.9:::::::*
	cpe:2.3:a:ruby-lang:ruby:1.9.1:::::::*
	cpe:2.3:a:ruby-lang:ruby:1.9.2:::::::*
	cpe:2.3:a:ruby-lang:ruby:1.9.3:::::::*
	cpe:2.3:a:ruby-lang:ruby:1.9.3:p0::::::
	cpe:2.3:a:ruby-lang:ruby:1.9.3:p125::::::
	cpe:2.3:a:ruby-lang:ruby:1.9.3:p194::::::
	cpe:2.3:a:ruby-lang:ruby:1.9.3:p286::::::
	cpe:2.3:a:ruby-lang:ruby:1.9.3:p383::::::
	cpe:2.3:a:ruby-lang:ruby:2.0:::::::*
	cpe:2.3:a:ruby-lang:ruby:2.0.0:::::::*
	cpe:2.3:a:ruby-lang:ruby:2.0.0:rc1::::::
	cpe:2.3:a:ruby-lang:ruby:2.0.0:rc2::::::

Configuration 2 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:12.04::::-:::
	cpe:2.3:o:canonical:ubuntu_linux:12.10:::::::*

Package	CPE	Advisory	Released Date
CloudForms for RHEL 6
rubygem-activesupport-1:3.0.10-10.el6cf	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2013:0548	2013-02-21T00:00:00Z
rubygem-delayed_job-0:2.1.4-3.el6cf	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2013:0548	2013-02-21T00:00:00Z
rubygem-nokogiri-0:1.5.0-0.9.beta4.el6cf	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2013:0548	2013-02-21T00:00:00Z
rubygem-rack-1:1.3.0-3.el6cf	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2013:0548	2013-02-21T00:00:00Z
rubygem-rails_warden-0:0.5.5-2.el6cf	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2013:0548	2013-02-21T00:00:00Z
rubygem-rdoc-0:3.8-6.el6cf	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2013:0548	2013-02-21T00:00:00Z
rubygem-rspec-rails-0:2.6.1-7.el6cf	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2013:0548	2013-02-21T00:00:00Z
rubygem-ruby_parser-0:2.0.4-6.el6cf	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2013:0548	2013-02-21T00:00:00Z
rubygem-shoulda-0:2.11.3-5.el6cf	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2013:0548	2013-02-21T00:00:00Z
Red Hat Subscription Asset Manager 1.2
candlepin-0:0.7.24-1.el6_3	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0686	2013-03-26T00:00:00Z
katello-0:1.2.1.1-1h.el6_4	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0686	2013-03-26T00:00:00Z
katello-configure-0:1.2.3.1-4h.el6_4	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0686	2013-03-26T00:00:00Z
rubygem-actionpack-1:3.0.10-12.el6cf	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0686	2013-03-26T00:00:00Z
rubygem-activemodel-0:3.0.10-3.el6cf	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0686	2013-03-26T00:00:00Z
rubygem-delayed_job-0:2.1.4-3.el6cf	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0686	2013-03-26T00:00:00Z
rubygem-json-0:1.7.3-2.el6_3	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0686	2013-03-26T00:00:00Z
rubygem-nokogiri-0:1.5.0-0.9.beta4.el6cf	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0686	2013-03-26T00:00:00Z
rubygem-rack-1:1.3.0-4.el6cf	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0686	2013-03-26T00:00:00Z
rubygem-rails_warden-0:0.5.5-2.el6cf	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0686	2013-03-26T00:00:00Z
rubygem-rdoc-0:3.8-6.el6cf	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0686	2013-03-26T00:00:00Z
thumbslug-0:0.0.28.1-1.el6_4	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0686	2013-03-26T00:00:00Z
RHEL 6 Version of OpenShift Enterprise
ruby193-ruby-0:1.9.3.327-28.el6	cpe:/a:redhat:openshift:1::el6	RHSA-2013:0701	2013-04-02T00:00:00Z
rubygem-json-0:1.7.3-2.el6op	cpe:/a:redhat:openshift:1::el6	RHSA-2013:0701	2013-04-02T00:00:00Z
rubygem-rdoc-0:3.8-9.el6op	cpe:/a:redhat:openshift:1::el6	RHSA-2013:0701	2013-04-02T00:00:00Z
ruby193-rubygem-activesupport-1:3.2.8-4.el6	cpe:/a:redhat:openshift:1::el6	RHSA-2013:0728	2013-04-09T00:00:00Z
ruby193-rubygem-bcrypt-ruby-0:3.0.1-7.el6	cpe:/a:redhat:openshift:1::el6	RHSA-2013:0728	2013-04-09T00:00:00Z
ruby193-rubygem-bson-0:1.5.2-6.el6op	cpe:/a:redhat:openshift:1::el6	RHSA-2013:0728	2013-04-09T00:00:00Z
ruby193-rubygem-chunky_png-0:1.2.6-3.el6op	cpe:/a:redhat:openshift:1::el6	RHSA-2013:0728	2013-04-09T00:00:00Z
ruby193-rubygem-ci_reporter-0:1.7.2-4.el6op	cpe:/a:redhat:openshift:1::el6	RHSA-2013:0728	2013-04-09T00:00:00Z
ruby193-rubygem-compass-0:0.12.2-4.el6op	cpe:/a:redhat:openshift:1::el6	RHSA-2013:0728	2013-04-09T00:00:00Z
ruby193-rubygem-fastthread-0:1.0.7-7.el6op	cpe:/a:redhat:openshift:1::el6	RHSA-2013:0728	2013-04-09T00:00:00Z
ruby193-rubygem-haml-0:3.1.7-3.el6op	cpe:/a:redhat:openshift:1::el6	RHSA-2013:0728	2013-04-09T00:00:00Z
ruby193-rubygem-http_connection-0:1.4.1-7.el6	cpe:/a:redhat:openshift:1::el6	RHSA-2013:0728	2013-04-09T00:00:00Z
ruby193-rubygem-rack-1:1.4.1-5.el6	cpe:/a:redhat:openshift:1::el6	RHSA-2013:0728	2013-04-09T00:00:00Z
ruby193-rubygem-rack-test-0:0.6.1-3.el6	cpe:/a:redhat:openshift:1::el6	RHSA-2013:0728	2013-04-09T00:00:00Z
ruby193-rubygem-rspec-0:2.11.0-2.el6	cpe:/a:redhat:openshift:1::el6	RHSA-2013:0728	2013-04-09T00:00:00Z
ruby193-rubygem-treetop-0:1.4.10-6.el6	cpe:/a:redhat:openshift:1::el6	RHSA-2013:0728	2013-04-09T00:00:00Z
ruby193-rubygem-xml-simple-0:1.0.12-10.el6op	cpe:/a:redhat:openshift:1::el6	RHSA-2013:0728	2013-04-09T00:00:00Z

References

Link	Providers
http://blog.segment7.net/2013/02/06/rdoc-xss-vulnerability-cve-2013-0256-releases-3-9-5-3-12-1-4-0-0-rc-2
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html
http://lists.opensuse.org/opensuse-updates/2013-02/msg00048.html
http://rhn.redhat.com/errata/RHSA-2013-0548.html
http://rhn.redhat.com/errata/RHSA-2013-0686.html
http://rhn.redhat.com/errata/RHSA-2013-0701.html
http://rhn.redhat.com/errata/RHSA-2013-0728.html
http://secunia.com/advisories/52774
http://www.ruby-lang.org/en/news/2013/02/06/rdoc-xss-cve-2013-0256/
http://www.ubuntu.com/usn/USN-1733-1
https://bugzilla.redhat.com/show_bug.cgi?id=907820
https://github.com/rdoc/rdoc/commit/ffa87887ee0517793df7541629a470e331f9fe60
https://nvd.nist.gov/vuln/detail/CVE-2013-0256
https://www.cve.org/CVERecord?id=CVE-2013-0256

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2013-03-01T02:00:00

Updated: 2024-08-06T14:18:09.523Z

Reserved: 2012-12-06T00:00:00

Link: CVE-2013-0256

Vulnrichment

No data.

NVD

Status : Modified

Published: 2013-03-01T05:40:17.583

Modified: 2024-11-21T01:47:10.307

Link: CVE-2013-0256

Redhat

Severity : Moderate

Publid Date: 2013-02-06T00:00:00Z

Links: CVE-2013-0256 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-02-05T00:00:00", "descriptions": [{"lang": "en", "value": "darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2013-03-06T10:00:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "RHSA-2013:0701", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0701.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.ruby-lang.org/en/news/2013/02/06/rdoc-xss-cve-2013-0256/"}, {"name": "52774", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/52774"}, {"name": "openSUSE-SU-2013:0303", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2013-02/msg00048.html"}, {"tags": ["x_refsource_MISC"], "url": "http://blog.segment7.net/2013/02/06/rdoc-xss-vulnerability-cve-2013-0256-releases-3-9-5-3-12-1-4-0-0-rc-2"}, {"name": "RHSA-2013:0728", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0728.html"}, {"name": "RHSA-2013:0686", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0686.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rdoc/rdoc/commit/ffa87887ee0517793df7541629a470e331f9fe60"}, {"name": "RHSA-2013:0548", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0548.html"}, {"name": "USN-1733-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-1733-1"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=907820"}, {"name": "SUSE-SU-2013:0647", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2013-0256", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "RHSA-2013:0701", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-0701.html"}, {"name": "http://www.ruby-lang.org/en/news/2013/02/06/rdoc-xss-cve-2013-0256/", "refsource": "CONFIRM", "url": "http://www.ruby-lang.org/en/news/2013/02/06/rdoc-xss-cve-2013-0256/"}, {"name": "52774", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/52774"}, {"name": "openSUSE-SU-2013:0303", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2013-02/msg00048.html"}, {"name": "http://blog.segment7.net/2013/02/06/rdoc-xss-vulnerability-cve-2013-0256-releases-3-9-5-3-12-1-4-0-0-rc-2", "refsource": "MISC", "url": "http://blog.segment7.net/2013/02/06/rdoc-xss-vulnerability-cve-2013-0256-releases-3-9-5-3-12-1-4-0-0-rc-2"}, {"name": "RHSA-2013:0728", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-0728.html"}, {"name": "RHSA-2013:0686", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-0686.html"}, {"name": "https://github.com/rdoc/rdoc/commit/ffa87887ee0517793df7541629a470e331f9fe60", "refsource": "CONFIRM", "url": "https://github.com/rdoc/rdoc/commit/ffa87887ee0517793df7541629a470e331f9fe60"}, {"name": "RHSA-2013:0548", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-0548.html"}, {"name": "USN-1733-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-1733-1"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=907820", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=907820"}, {"name": "SUSE-SU-2013:0647", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T14:18:09.523Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2013:0701", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0701.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.ruby-lang.org/en/news/2013/02/06/rdoc-xss-cve-2013-0256/"}, {"name": "52774", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/52774"}, {"name": "openSUSE-SU-2013:0303", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2013-02/msg00048.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://blog.segment7.net/2013/02/06/rdoc-xss-vulnerability-cve-2013-0256-releases-3-9-5-3-12-1-4-0-0-rc-2"}, {"name": "RHSA-2013:0728", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0728.html"}, {"name": "RHSA-2013:0686", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0686.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/rdoc/rdoc/commit/ffa87887ee0517793df7541629a470e331f9fe60"}, {"name": "RHSA-2013:0548", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0548.html"}, {"name": "USN-1733-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-1733-1"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=907820"}, {"name": "SUSE-SU-2013:0647", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2013-0256", "datePublished": "2013-03-01T02:00:00", "dateReserved": "2012-12-06T00:00:00", "dateUpdated": "2024-08-06T14:18:09.523Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ruby-lang:rdoc:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "C60BA6CA-3872-433E-9CDA-465EFB11F230", "versionEndExcluding": "3.12", "versionStartIncluding": "2.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:rdoc:4.0.0:preview2:*:*:*:ruby:*:*", "matchCriteriaId": "2C0C6748-AE0F-4E21-AA18-59583D5123AB", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:1.9:*:*:*:*:*:*:*", "matchCriteriaId": "D9237145-35F8-4E05-B730-77C0F386E5B2", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:1.9.1:*:*:*:*:*:*:*", "matchCriteriaId": "C78BB1D8-0505-484D-B824-1AA219F8B247", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:1.9.2:*:*:*:*:*:*:*", "matchCriteriaId": "5178D04D-1C29-4353-8987-559AA07443EC", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:1.9.3:*:*:*:*:*:*:*", "matchCriteriaId": "D0535DC9-EB0E-4745-80AC-4A020DF26E38", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:1.9.3:p0:*:*:*:*:*:*", "matchCriteriaId": "94F5AA37-B466-4E2E-B217-5119BADDD87B", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:1.9.3:p125:*:*:*:*:*:*", "matchCriteriaId": "6DF0F0F5-4022-4837-9B40-4B1127732CC9", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:1.9.3:p194:*:*:*:*:*:*", "matchCriteriaId": "B3848B08-85C2-4AAD-AA33-CCEB80EF5B32", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:1.9.3:p286:*:*:*:*:*:*", "matchCriteriaId": "B7927D40-2A3A-43AD-99F6-CE61882A1FF4", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:1.9.3:p383:*:*:*:*:*:*", "matchCriteriaId": "AA406EC6-6CA5-40A6-A879-AA8940CBEF07", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "90E0471D-1323-4E67-B66C-DEBF3BBAEEAA", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:2.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B03B7561-A854-4EFA-9E4E-CFC4EEAE4EE1", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:2.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "285A3431-BDFE-40C5-92CD-B18217757C23", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:2.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "D66B32CB-AC49-4A1C-85ED-6389F27CB319", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*", "matchCriteriaId": "CB66DB75-2B16-4EBF-9B93-CE49D8086E41", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*", "matchCriteriaId": "E2076871-2E80-4605-A470-A41C1A8EC7EE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL."}, {"lang": "es", "value": "darkfish.js de RDoc v2.3.0 hasta v3.12 y v4.x antes de v4.0.0.preview2.1, tal como se utiliza en Ruby, no se gener\u00f3 correctamente los documentos, que permite a atacantes remotos realizar ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) a trav\u00e9s de una URL manipulada."}], "evaluatorImpact": "Per http://www.ruby-lang.org/en/news/2013/02/06/rdoc-xss-cve-2013-0256/\r\nAffected versions\r\nAll ruby 1.9 versions prior to ruby 1.9.3 patchlevel 383\r\nAll ruby 2.0 versions prior to ruby 2.0.0 rc2 or prior to trunk revision 39102\r\n", "id": "CVE-2013-0256", "lastModified": "2024-11-21T01:47:10.307", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2013-03-01T05:40:17.583", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://blog.segment7.net/2013/02/06/rdoc-xss-vulnerability-cve-2013-0256-releases-3-9-5-3-12-1-4-0-0-rc-2"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2013-02/msg00048.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0548.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0686.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0701.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0728.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/52774"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://www.ruby-lang.org/en/news/2013/02/06/rdoc-xss-cve-2013-0256/"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-1733-1"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=907820"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://github.com/rdoc/rdoc/commit/ffa87887ee0517793df7541629a470e331f9fe60"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://blog.segment7.net/2013/02/06/rdoc-xss-vulnerability-cve-2013-0256-releases-3-9-5-3-12-1-4-0-0-rc-2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2013-02/msg00048.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0548.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0686.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0701.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0728.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/52774"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://www.ruby-lang.org/en/news/2013/02/06/rdoc-xss-cve-2013-0256/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-1733-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=907820"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/rdoc/rdoc/commit/ffa87887ee0517793df7541629a470e331f9fe60"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Eric Hodel (RDoc upstream) for reporting this issue. Upstream acknowledges Evgeny Ermakov as the original reporter.", "affected_release": [{"advisory": "RHSA-2013:0548", "cpe": "cpe:/a:cloudforms_cloudengine:1::el6", "package": "rubygem-activesupport-1:3.0.10-10.el6cf", "product_name": "CloudForms for RHEL 6", "release_date": "2013-02-21T00:00:00Z"}, {"advisory": "RHSA-2013:0548", "cpe": "cpe:/a:cloudforms_cloudengine:1::el6", "package": "rubygem-delayed_job-0:2.1.4-3.el6cf", "product_name": "CloudForms for RHEL 6", "release_date": "2013-02-21T00:00:00Z"}, {"advisory": "RHSA-2013:0548", "cpe": "cpe:/a:cloudforms_cloudengine:1::el6", "package": "rubygem-nokogiri-0:1.5.0-0.9.beta4.el6cf", "product_name": "CloudForms for RHEL 6", "release_date": "2013-02-21T00:00:00Z"}, {"advisory": "RHSA-2013:0548", "cpe": "cpe:/a:cloudforms_cloudengine:1::el6", "package": "rubygem-rack-1:1.3.0-3.el6cf", "product_name": "CloudForms for RHEL 6", "release_date": "2013-02-21T00:00:00Z"}, {"advisory": "RHSA-2013:0548", "cpe": "cpe:/a:cloudforms_cloudengine:1::el6", "package": "rubygem-rails_warden-0:0.5.5-2.el6cf", "product_name": "CloudForms for RHEL 6", "release_date": "2013-02-21T00:00:00Z"}, {"advisory": "RHSA-2013:0548", "cpe": "cpe:/a:cloudforms_cloudengine:1::el6", "package": "rubygem-rdoc-0:3.8-6.el6cf", "product_name": "CloudForms for RHEL 6", "release_date": "2013-02-21T00:00:00Z"}, {"advisory": "RHSA-2013:0548", "cpe": "cpe:/a:cloudforms_cloudengine:1::el6", "package": "rubygem-rspec-rails-0:2.6.1-7.el6cf", "product_name": "CloudForms for RHEL 6", "release_date": "2013-02-21T00:00:00Z"}, {"advisory": "RHSA-2013:0548", "cpe": "cpe:/a:cloudforms_cloudengine:1::el6", "package": "rubygem-ruby_parser-0:2.0.4-6.el6cf", "product_name": "CloudForms for RHEL 6", "release_date": "2013-02-21T00:00:00Z"}, {"advisory": "RHSA-2013:0548", "cpe": "cpe:/a:cloudforms_cloudengine:1::el6", "package": "rubygem-shoulda-0:2.11.3-5.el6cf", "product_name": "CloudForms for RHEL 6", "release_date": "2013-02-21T00:00:00Z"}, {"advisory": "RHSA-2013:0686", "cpe": "cpe:/a:rhel_sam:1.2::el6", "package": "candlepin-0:0.7.24-1.el6_3", "product_name": "Red Hat Subscription Asset Manager 1.2", "release_date": "2013-03-26T00:00:00Z"}, {"advisory": "RHSA-2013:0686", "cpe": "cpe:/a:rhel_sam:1.2::el6", "package": "katello-0:1.2.1.1-1h.el6_4", "product_name": "Red Hat Subscription Asset Manager 1.2", "release_date": "2013-03-26T00:00:00Z"}, {"advisory": "RHSA-2013:0686", "cpe": "cpe:/a:rhel_sam:1.2::el6", "package": "katello-configure-0:1.2.3.1-4h.el6_4", "product_name": "Red Hat Subscription Asset Manager 1.2", "release_date": "2013-03-26T00:00:00Z"}, {"advisory": "RHSA-2013:0686", "cpe": "cpe:/a:rhel_sam:1.2::el6", "package": "rubygem-actionpack-1:3.0.10-12.el6cf", "product_name": "Red Hat Subscription Asset Manager 1.2", "release_date": "2013-03-26T00:00:00Z"}, {"advisory": "RHSA-2013:0686", "cpe": "cpe:/a:rhel_sam:1.2::el6", "package": "rubygem-activemodel-0:3.0.10-3.el6cf", "product_name": "Red Hat Subscription Asset Manager 1.2", "release_date": "2013-03-26T00:00:00Z"}, {"advisory": "RHSA-2013:0686", "cpe": "cpe:/a:rhel_sam:1.2::el6", "package": "rubygem-delayed_job-0:2.1.4-3.el6cf", "product_name": "Red Hat Subscription Asset Manager 1.2", "release_date": "2013-03-26T00:00:00Z"}, {"advisory": "RHSA-2013:0686", "cpe": "cpe:/a:rhel_sam:1.2::el6", "package": "rubygem-json-0:1.7.3-2.el6_3", "product_name": "Red Hat Subscription Asset Manager 1.2", "release_date": "2013-03-26T00:00:00Z"}, {"advisory": "RHSA-2013:0686", "cpe": "cpe:/a:rhel_sam:1.2::el6", "package": "rubygem-nokogiri-0:1.5.0-0.9.beta4.el6cf", "product_name": "Red Hat Subscription Asset Manager 1.2", "release_date": "2013-03-26T00:00:00Z"}, {"advisory": "RHSA-2013:0686", "cpe": "cpe:/a:rhel_sam:1.2::el6", "package": "rubygem-rack-1:1.3.0-4.el6cf", "product_name": "Red Hat Subscription Asset Manager 1.2", "release_date": "2013-03-26T00:00:00Z"}, {"advisory": "RHSA-2013:0686", "cpe": "cpe:/a:rhel_sam:1.2::el6", "package": "rubygem-rails_warden-0:0.5.5-2.el6cf", "product_name": "Red Hat Subscription Asset Manager 1.2", "release_date": "2013-03-26T00:00:00Z"}, {"advisory": "RHSA-2013:0686", "cpe": "cpe:/a:rhel_sam:1.2::el6", "package": "rubygem-rdoc-0:3.8-6.el6cf", "product_name": "Red Hat Subscription Asset Manager 1.2", "release_date": "2013-03-26T00:00:00Z"}, {"advisory": "RHSA-2013:0686", "cpe": "cpe:/a:rhel_sam:1.2::el6", "package": "thumbslug-0:0.0.28.1-1.el6_4", "product_name": "Red Hat Subscription Asset Manager 1.2", "release_date": "2013-03-26T00:00:00Z"}, {"advisory": "RHSA-2013:0701", "cpe": "cpe:/a:redhat:openshift:1::el6", "package": "ruby193-ruby-0:1.9.3.327-28.el6", "product_name": "RHEL 6 Version of OpenShift Enterprise", "release_date": "2013-04-02T00:00:00Z"}, {"advisory": "RHSA-2013:0701", "cpe": "cpe:/a:redhat:openshift:1::el6", "package": "rubygem-json-0:1.7.3-2.el6op", "product_name": "RHEL 6 Version of OpenShift Enterprise", "release_date": "2013-04-02T00:00:00Z"}, {"advisory": "RHSA-2013:0701", "cpe": "cpe:/a:redhat:openshift:1::el6", "package": "rubygem-rdoc-0:3.8-9.el6op", "product_name": "RHEL 6 Version of OpenShift Enterprise", "release_date": "2013-04-02T00:00:00Z"}, {"advisory": "RHSA-2013:0728", "cpe": "cpe:/a:redhat:openshift:1::el6", "package": "ruby193-rubygem-activesupport-1:3.2.8-4.el6", "product_name": "RHEL 6 Version of OpenShift Enterprise", "release_date": "2013-04-09T00:00:00Z"}, {"advisory": "RHSA-2013:0728", "cpe": "cpe:/a:redhat:openshift:1::el6", "package": "ruby193-rubygem-bcrypt-ruby-0:3.0.1-7.el6", "product_name": "RHEL 6 Version of OpenShift Enterprise", "release_date": "2013-04-09T00:00:00Z"}, {"advisory": "RHSA-2013:0728", "cpe": "cpe:/a:redhat:openshift:1::el6", "package": "ruby193-rubygem-bson-0:1.5.2-6.el6op", "product_name": "RHEL 6 Version of OpenShift Enterprise", "release_date": "2013-04-09T00:00:00Z"}, {"advisory": "RHSA-2013:0728", "cpe": "cpe:/a:redhat:openshift:1::el6", "package": "ruby193-rubygem-chunky_png-0:1.2.6-3.el6op", "product_name": "RHEL 6 Version of OpenShift Enterprise", "release_date": "2013-04-09T00:00:00Z"}, {"advisory": "RHSA-2013:0728", "cpe": "cpe:/a:redhat:openshift:1::el6", "package": "ruby193-rubygem-ci_reporter-0:1.7.2-4.el6op", "product_name": "RHEL 6 Version of OpenShift Enterprise", "release_date": "2013-04-09T00:00:00Z"}, {"advisory": "RHSA-2013:0728", "cpe": "cpe:/a:redhat:openshift:1::el6", "package": "ruby193-rubygem-compass-0:0.12.2-4.el6op", "product_name": "RHEL 6 Version of OpenShift Enterprise", "release_date": "2013-04-09T00:00:00Z"}, {"advisory": "RHSA-2013:0728", "cpe": "cpe:/a:redhat:openshift:1::el6", "package": "ruby193-rubygem-fastthread-0:1.0.7-7.el6op", "product_name": "RHEL 6 Version of OpenShift Enterprise", "release_date": "2013-04-09T00:00:00Z"}, {"advisory": "RHSA-2013:0728", "cpe": "cpe:/a:redhat:openshift:1::el6", "package": "ruby193-rubygem-haml-0:3.1.7-3.el6op", "product_name": "RHEL 6 Version of OpenShift Enterprise", "release_date": "2013-04-09T00:00:00Z"}, {"advisory": "RHSA-2013:0728", "cpe": "cpe:/a:redhat:openshift:1::el6", "package": "ruby193-rubygem-http_connection-0:1.4.1-7.el6", "product_name": "RHEL 6 Version of OpenShift Enterprise", "release_date": "2013-04-09T00:00:00Z"}, {"advisory": "RHSA-2013:0728", "cpe": "cpe:/a:redhat:openshift:1::el6", "package": "ruby193-rubygem-rack-1:1.4.1-5.el6", "product_name": "RHEL 6 Version of OpenShift Enterprise", "release_date": "2013-04-09T00:00:00Z"}, {"advisory": "RHSA-2013:0728", "cpe": "cpe:/a:redhat:openshift:1::el6", "package": "ruby193-rubygem-rack-test-0:0.6.1-3.el6", "product_name": "RHEL 6 Version of OpenShift Enterprise", "release_date": "2013-04-09T00:00:00Z"}, {"advisory": "RHSA-2013:0728", "cpe": "cpe:/a:redhat:openshift:1::el6", "package": "ruby193-rubygem-rspec-0:2.11.0-2.el6", "product_name": "RHEL 6 Version of OpenShift Enterprise", "release_date": "2013-04-09T00:00:00Z"}, {"advisory": "RHSA-2013:0728", "cpe": "cpe:/a:redhat:openshift:1::el6", "package": "ruby193-rubygem-treetop-0:1.4.10-6.el6", "product_name": "RHEL 6 Version of OpenShift Enterprise", "release_date": "2013-04-09T00:00:00Z"}, {"advisory": "RHSA-2013:0728", "cpe": "cpe:/a:redhat:openshift:1::el6", "package": "ruby193-rubygem-xml-simple-0:1.0.12-10.el6op", "product_name": "RHEL 6 Version of OpenShift Enterprise", "release_date": "2013-04-09T00:00:00Z"}], "bugzilla": {"description": "rubygem-rdoc: Cross-site scripting in the documentation created by Darkfish Rdoc HTML generator / template", "id": "907820", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=907820"}, "csaw": false, "cvss": {"cvss_base_score": "5.0", "cvss_scoring_vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "status": "verified"}, "cwe": "CWE-79", "details": ["darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL."], "name": "CVE-2013-0256", "package_state": [{"cpe": "cpe:/a:redhat:openshift:1", "fix_state": "Affected", "package_name": "rubygem-haml", "product_name": "OpenShift Enterprise 1"}, {"cpe": "cpe:/a:cloudforms_tools:1", "fix_state": "Affected", "package_name": "rubygem-haml", "product_name": "Red Hat CloudForms Tools 1"}, {"cpe": "cpe:/a:cloudforms_tools:1", "fix_state": "Will not fix", "package_name": "rubygem-rdoc", "product_name": "Red Hat CloudForms Tools 1"}, {"cpe": "cpe:/a:redhat:enterprise_mrg:2", "fix_state": "Affected", "package_name": "rubygem-haml", "product_name": "Red Hat Enterprise MRG 2"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Affected", "package_name": "rubygem-haml", "product_name": "Red Hat Subscription Asset Manager"}], "public_date": "2013-02-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2013-0256\nhttps://nvd.nist.gov/vuln/detail/CVE-2013-0256\nhttp://www.ruby-lang.org/en/news/2013/02/06/rdoc-xss-cve-2013-0256/"], "threat_severity": "Moderate"}

Metrics

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Metrics

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object