Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS0zaDd2LXdxdzctZmYyOM4AArCV

Moderate EPSS: 0.00206% (0.43229 Percentile) EPSS:
Permalink JSON

Cross site scripting in publify

Affected Packages Affected Versions Fixed Versions
rubygems:publify_core
PURL: pkg:gem/publify_core
>= 8.0, < 9.2.5 9.2.5
2 Dependent packages
8 Dependent repositories
38,079 Downloads total

Affected Version Ranges

All affected versions

9.0.0, 9.0.1, 9.1.0, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4

All unaffected versions

9.2.5, 9.2.6, 9.2.7, 9.2.8, 9.2.9, 9.2.10, 10.0.0, 10.0.1, 10.0.2, 10.0.3

In publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS as a result of an unrestricted file upload. This issue allows a user with “publisher” role to inject malicious JavaScript via the uploaded html file.

References:

Identifiers

GHSA-3h7v-wqw7-ff28

CVE-2021-25975

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00206

EPSS Percentile: 0.43229

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/publify/publify

Date and time

Published

over 3 years ago

Updated

over 2 years ago

API

JSON