Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2012-6684
Vulnerability from gsd - Updated: 2012-02-29 00:00Details
Cross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9 for Ruby and earlier allows remote attackers to inject arbitrary web script or HTML via a javascript: URI.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2012-6684",
"description": "Cross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9 for Ruby and earlier allows remote attackers to inject arbitrary web script or HTML via a javascript: URI.",
"id": "GSD-2012-6684",
"references": [
"https://www.suse.com/security/cve/CVE-2012-6684.html",
"https://www.debian.org/security/2015/dsa-3168"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "RedCloth",
"purl": "pkg:gem/RedCloth"
}
}
],
"aliases": [
"CVE-2012-6684",
"OSVDB-115941"
],
"details": "Cross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9 for Ruby and earlier allows remote attackers to inject arbitrary web script or HTML via a javascript: URI.",
"id": "GSD-2012-6684",
"modified": "2012-02-29T00:00:00.000Z",
"published": "2012-02-29T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://co3k.org/blog/redcloth-unfixed-xss-en"
},
{
"type": "WEB",
"url": "https://github.com/jgarber/redcloth/commit/2f6dab4d6aea5cee778d2f37a135637fe3f1573c"
},
{
"type": "WEB",
"url": "https://gist.github.com/co3k/75b3cb416c342aa1414c"
},
{
"type": "WEB",
"url": "https://jgarber.lighthouseapp.com/projects/13054-redcloth/tickets/243-xss"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 4.3,
"type": "CVSS_V2"
}
],
"summary": "CVE-2012-6684 rubygem-RedCloth: XSS vulnerability"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-6684",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9 for Ruby and earlier allows remote attackers to inject arbitrary web script or HTML via a javascript: URI."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://co3k.org/blog/redcloth-unfixed-xss-en",
"refsource": "MISC",
"url": "http://co3k.org/blog/redcloth-unfixed-xss-en"
},
{
"name": "http://jgarber.lighthouseapp.com/projects/13054-redcloth/tickets/243-xss",
"refsource": "MISC",
"url": "http://jgarber.lighthouseapp.com/projects/13054-redcloth/tickets/243-xss"
},
{
"name": "20141211 RedCloth contains unfixed XSS vulnerability for 9 years",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2014/Dec/50"
},
{
"name": "https://gist.github.com/co3k/75b3cb416c342aa1414c",
"refsource": "MISC",
"url": "https://gist.github.com/co3k/75b3cb416c342aa1414c"
},
{
"name": "DSA-3168",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2015/dsa-3168"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2012-6684",
"cvss_v2": 4.3,
"date": "2012-02-29",
"description": "Cross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9 for Ruby and earlier allows remote attackers to inject arbitrary web script or HTML via a javascript: URI.",
"gem": "RedCloth",
"osvdb": 115941,
"patched_versions": [
"\u003e= 4.3.0"
],
"related": {
"url": [
"https://github.com/jgarber/redcloth/commit/2f6dab4d6aea5cee778d2f37a135637fe3f1573c",
"https://gist.github.com/co3k/75b3cb416c342aa1414c",
"https://jgarber.lighthouseapp.com/projects/13054-redcloth/tickets/243-xss"
]
},
"title": "CVE-2012-6684 rubygem-RedCloth: XSS vulnerability",
"url": "https://co3k.org/blog/redcloth-unfixed-xss-en"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c4.3.0",
"affected_versions": "All versions before 4.3.0",
"credit": "Kousuke Ebihara, Antonio Terceiro",
"cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-79",
"CWE-937"
],
"date": "2016-09-02",
"description": "RedCloth Gem for Ruby contains a flaw that allows a cross-site scripting (XSS) attack. This flaw exists because the program does not validate input when parsing textile links before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user\u0027s browser session within the trust relationship between their browser and the server.",
"fixed_versions": [
"4.3.0"
],
"identifier": "CVE-2012-6684",
"identifiers": [
"CVE-2012-6684"
],
"not_impacted": "All versions starting from 4.3.0",
"package_slug": "gem/RedCloth",
"pubdate": "2015-01-07",
"solution": "Upgrade to version 4.3.0 or above.",
"title": "Textile Link Parsing XSS",
"urls": [
"http://co3k.org/blog/redcloth-unfixed-xss-en",
"https://bugs.debian.org/774748",
"https://github.com/jgarber/redcloth/commit/2f6dab4d6aea5cee778d2f37a135637fe3f1573c"
],
"uuid": "25777bad-772f-4b0b-867a-dadece3b3a80"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redcloth:redcloth_library:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndIncluding": "4.2.9",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-6684"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9 for Ruby and earlier allows remote attackers to inject arbitrary web script or HTML via a javascript: URI."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://co3k.org/blog/redcloth-unfixed-xss-en",
"refsource": "MISC",
"tags": [
"Broken Link"
],
"url": "http://co3k.org/blog/redcloth-unfixed-xss-en"
},
{
"name": "http://jgarber.lighthouseapp.com/projects/13054-redcloth/tickets/243-xss",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "http://jgarber.lighthouseapp.com/projects/13054-redcloth/tickets/243-xss"
},
{
"name": "20141211 RedCloth contains unfixed XSS vulnerability for 9 years",
"refsource": "FULLDISC",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2014/Dec/50"
},
{
"name": "https://gist.github.com/co3k/75b3cb416c342aa1414c",
"refsource": "MISC",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://gist.github.com/co3k/75b3cb416c342aa1414c"
},
{
"name": "DSA-3168",
"refsource": "DEBIAN",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2015/dsa-3168"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
}
},
"lastModifiedDate": "2016-09-02T12:54Z",
"publishedDate": "2015-01-08T01:59Z"
}
}
}