Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2013-0256
Vulnerability from gsd - Updated: 2013-02-06 00:00Details
darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-0256",
"description": "darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL.",
"id": "GSD-2013-0256",
"references": [
"https://www.suse.com/security/cve/CVE-2013-0256.html",
"https://access.redhat.com/errata/RHSA-2013:0728",
"https://access.redhat.com/errata/RHSA-2013:0701",
"https://access.redhat.com/errata/RHSA-2013:0686",
"https://access.redhat.com/errata/RHSA-2013:0548"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rdoc",
"purl": "pkg:gem/rdoc"
}
}
],
"aliases": [
"CVE-2013-0256",
"OSVDB-90004"
],
"details": "darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL.",
"id": "GSD-2013-0256",
"modified": "2013-02-06T00:00:00.000Z",
"published": "2013-02-06T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0256"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 4.3,
"type": "CVSS_V2"
}
],
"summary": "CVE-2013-0256 rubygem-rdoc: Cross-site scripting in the documentation created by Darkfish Rdoc HTML generator / template"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0256",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2013:0701",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0701.html"
},
{
"name": "http://www.ruby-lang.org/en/news/2013/02/06/rdoc-xss-cve-2013-0256/",
"refsource": "CONFIRM",
"url": "http://www.ruby-lang.org/en/news/2013/02/06/rdoc-xss-cve-2013-0256/"
},
{
"name": "52774",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/52774"
},
{
"name": "openSUSE-SU-2013:0303",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2013-02/msg00048.html"
},
{
"name": "http://blog.segment7.net/2013/02/06/rdoc-xss-vulnerability-cve-2013-0256-releases-3-9-5-3-12-1-4-0-0-rc-2",
"refsource": "MISC",
"url": "http://blog.segment7.net/2013/02/06/rdoc-xss-vulnerability-cve-2013-0256-releases-3-9-5-3-12-1-4-0-0-rc-2"
},
{
"name": "RHSA-2013:0728",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0728.html"
},
{
"name": "RHSA-2013:0686",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0686.html"
},
{
"name": "https://github.com/rdoc/rdoc/commit/ffa87887ee0517793df7541629a470e331f9fe60",
"refsource": "CONFIRM",
"url": "https://github.com/rdoc/rdoc/commit/ffa87887ee0517793df7541629a470e331f9fe60"
},
{
"name": "RHSA-2013:0548",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0548.html"
},
{
"name": "USN-1733-1",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/USN-1733-1"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=907820",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=907820"
},
{
"name": "SUSE-SU-2013:0647",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-0256",
"cvss_v2": 4.3,
"date": "2013-02-06",
"description": "darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL.",
"gem": "rdoc",
"osvdb": 90004,
"patched_versions": [
"~\u003e 3.9.5",
"~\u003e 3.12.1",
"\u003e= 4.0"
],
"title": "CVE-2013-0256 rubygem-rdoc: Cross-site scripting in the documentation created by Darkfish Rdoc HTML generator / template",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0256"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=2.3.0 \u003c3.9.5 || \u003e=3.10 \u003c3.12 || \u003e=4.0.0.preview2 \u003c4.0.0.rc.2",
"affected_versions": "All versions starting from 2.3.0 before 3.9.5, all versions starting from 3.10 before 3.12, all versions starting from 4.0.0.preview2 before 4.0.0.rc.2",
"cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-79",
"CWE-937"
],
"date": "2013-06-04",
"description": "This exploit may lead to cookie disclosure to third parties. The exploit exists in darkfish.js which is copied from the RDoc install location to the generated documentation. RDoc is a static documentation generation tool. Patching the library itself is insufficient to correct this exploit.",
"fixed_versions": [
"3.12.1",
"3.9.5",
"4.0.0.rc.2"
],
"identifier": "CVE-2013-0256",
"identifiers": [
"CVE-2013-0256"
],
"not_impacted": "2.3.0 through rdoc 3.12 and prereleases up to rdoc 4.0.0.preview2.1",
"package_slug": "gem/rdoc",
"pubdate": "2013-03-01",
"solution": "Upgrade abd patches available (see source)",
"title": "XSS exploit of RDoc documentation generated by rdoc",
"urls": [
"https://github.com/rdoc/rdoc/blob/master/CVE-2013-0256.rdoc"
],
"uuid": "b48946f1-9df2-4019-862d-33bee381b7a1"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:ruby-lang:rdoc:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndExcluding": "3.12",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ruby-lang:rdoc:4.0.0:preview2:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:1.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:1.9.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:1.9.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:1.9.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:1.9.3:p0:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:1.9.3:p125:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:1.9.3:p194:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:1.9.3:p286:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:1.9.3:p383:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:2.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:2.0.0:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:2.0.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0256"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=907820",
"refsource": "MISC",
"tags": [
"Issue Tracking"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=907820"
},
{
"name": "http://www.ruby-lang.org/en/news/2013/02/06/rdoc-xss-cve-2013-0256/",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "http://www.ruby-lang.org/en/news/2013/02/06/rdoc-xss-cve-2013-0256/"
},
{
"name": "https://github.com/rdoc/rdoc/commit/ffa87887ee0517793df7541629a470e331f9fe60",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/rdoc/rdoc/commit/ffa87887ee0517793df7541629a470e331f9fe60"
},
{
"name": "RHSA-2013:0548",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0548.html"
},
{
"name": "http://blog.segment7.net/2013/02/06/rdoc-xss-vulnerability-cve-2013-0256-releases-3-9-5-3-12-1-4-0-0-rc-2",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "http://blog.segment7.net/2013/02/06/rdoc-xss-vulnerability-cve-2013-0256-releases-3-9-5-3-12-1-4-0-0-rc-2"
},
{
"name": "openSUSE-SU-2013:0303",
"refsource": "SUSE",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-02/msg00048.html"
},
{
"name": "USN-1733-1",
"refsource": "UBUNTU",
"tags": [
"Third Party Advisory"
],
"url": "http://www.ubuntu.com/usn/USN-1733-1"
},
{
"name": "52774",
"refsource": "SECUNIA",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/52774"
},
{
"name": "RHSA-2013:0686",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0686.html"
},
{
"name": "RHSA-2013:0701",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0701.html"
},
{
"name": "SUSE-SU-2013:0647",
"refsource": "SUSE",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html"
},
{
"name": "RHSA-2013:0728",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0728.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
}
},
"lastModifiedDate": "2021-09-09T12:28Z",
"publishedDate": "2013-03-01T05:40Z"
}
}
}