Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI1M3ctZzR4bS0zZ2M2

Moderate EPSS: 0.00825% (0.73515 Percentile) EPSS:
Permalink JSON

Haml vulnerable to cross-site scripting

Affected Packages Affected Versions Fixed Versions
rubygems:haml
PURL: pkg:gem/haml
< 5.0.0 5.0.0
1,475 Dependent packages
122,605 Dependent repositories
184,095,511 Downloads total

Affected Version Ranges

All affected versions

1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.5.0, 1.5.1, 1.5.2, 1.7.0, 1.7.1, 1.7.2, 1.8.0, 1.8.1, 1.8.2, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.2.12, 2.2.13, 2.2.14, 2.2.15, 2.2.16, 2.2.17, 2.2.18, 2.2.19, 2.2.20, 2.2.21, 2.2.22, 2.2.23, 2.2.24, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.15, 3.0.16, 3.0.17, 3.0.18, 3.0.21, 3.0.22, 3.0.23, 3.0.24, 3.0.25, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7

All unaffected versions

5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.2.1, 5.2.2, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.3.0, 6.3.1, 6.4.0, 7.0.0

In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code.

References:

Identifiers

GHSA-r53w-g4xm-3gc6

CVE-2017-1002201

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00825

EPSS Percentile: 0.73515

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/haml/haml

Date and time

Published

about 6 years ago

Updated

about 2 years ago

API

JSON