Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXB4cjgtdzNqcS1yY3dq
rails_admin ruby gem XSS
An exploitable cross site scripting (XSS) vulnerability exists in the add filter functionality of the rails_admin rails gem version 1.2.0. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the victim's browser. An attacker can phish an authenticated user to trigger this vulnerability.
Permalink: https://github.com/advisories/GHSA-pxr8-w3jq-rcwjJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXB4cjgtdzNqcS1yY3dq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 6 years ago
Updated: 10 months ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-pxr8-w3jq-rcwj, CVE-2017-12098
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-12098
- https://github.com/advisories/GHSA-pxr8-w3jq-rcwj
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0450
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails_admin/CVE-2017-12098.yml
- https://web.archive.org/web/20210116160904/http://www.securityfocus.com/bid/102486
Affected Packages
rubygems:rails_admin
Dependent packages: 99Dependent repositories: 9,284
Downloads: 9,342,012 total
Affected Version Ranges: < 1.3.0
Fixed in: 1.3.0
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.1.0, 0.1.1, 0.1.2, 0.2.0, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8, 0.4.9, 0.5.0, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.7.0, 0.8.1, 1.0.0, 1.1.0, 1.1.1, 1.2.0
All unaffected versions: 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 3.0.0, 3.1.0, 3.1.1, 3.1.2