Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2013-2105
Vulnerability from gsd - Updated: 2013-05-17 00:00Details
Show In Browser Gem for Ruby contains a flaw that is triggered when the application does not validate input passed via the /tmp/browser.html file. This may allow a local attacker to create a specially crafted request that would execute arbitrary script code in a user's browser.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-2105",
"description": "The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.",
"id": "GSD-2013-2105"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "show_in_browser",
"purl": "pkg:gem/show_in_browser"
}
}
],
"aliases": [
"CVE-2013-2105",
"OSVDB-93490"
],
"details": "Show In Browser Gem for Ruby contains a flaw that is triggered when the application does not validate input passed via the /tmp/browser.html file. This may allow a local attacker to create a specially crafted request that would execute arbitrary script code in a user\u0027s browser.",
"id": "GSD-2013-2105",
"modified": "2013-05-17T00:00:00.000Z",
"published": "2013-05-17T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2105"
}
],
"schema_version": "1.4.0",
"summary": "Show In Browser Gem for Ruby /tmp/browser.html Arbitrary Script Injection"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-2105",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20130518 Re: Show In Browser 0.0.3 Ruby Gem /tmp file injection vulnerability",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/05/18/4"
},
{
"name": "http://vapid.dhs.org/advisories/show_in_browser.html",
"refsource": "MISC",
"url": "http://vapid.dhs.org/advisories/show_in_browser.html"
},
{
"name": "showinbrowser-cve20132105-symlink(84378)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/84378"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-2105",
"date": "2013-05-17",
"description": "Show In Browser Gem for Ruby contains a flaw that is triggered when the application does not validate input passed via the /tmp/browser.html file. This may allow a local attacker to create a specially crafted request that would execute arbitrary script code in a user\u0027s browser.",
"gem": "show_in_browser",
"osvdb": 93490,
"title": "Show In Browser Gem for Ruby /tmp/browser.html Arbitrary Script Injection",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2105"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=0.0.3",
"affected_versions": "All versions up to 0.0.3",
"credit": "Larry W. Cashdollar (@_larry0)",
"cvss_v2": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-59",
"CWE-937"
],
"date": "2017-08-28",
"description": "By a malicious user creating `/tmp/browser.html` first and repeatedly writing to it, they can inject malicious html into the file right before it is about to be opened.",
"fixed_versions": [],
"identifier": "CVE-2013-2105",
"identifiers": [
"CVE-2013-2105"
],
"package_slug": "gem/show_in_browser",
"pubdate": "2014-04-22",
"solution": "No solution yet.",
"title": "Injection vulnerability in /tmp file",
"urls": [
"http://vapid.dhs.org/advisories/show_in_browser_tmp_vuln.html"
],
"uuid": "4e5d4952-d236-49dc-b70a-61d20fb47965"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:jonathan_leung:show_in_browser:0.0.3:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-2105"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-59"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://vapid.dhs.org/advisories/show_in_browser.html",
"refsource": "MISC",
"tags": [
"Exploit"
],
"url": "http://vapid.dhs.org/advisories/show_in_browser.html"
},
{
"name": "[oss-security] 20130518 Re: Show In Browser 0.0.3 Ruby Gem /tmp file injection vulnerability",
"refsource": "MLIST",
"tags": [
"Exploit"
],
"url": "http://www.openwall.com/lists/oss-security/2013/05/18/4"
},
{
"name": "showinbrowser-cve20132105-symlink(84378)",
"refsource": "XF",
"tags": [],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/84378"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 3.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2017-08-29T01:33Z",
"publishedDate": "2014-04-22T14:23Z"
}
}
}