CVE-2013-0256 — Cross-site Scripting in Rdoc

CWE-79 — Cross-site Scripting10 documents8 sources

Severity

4.3MEDIUMNVD

EPSS

3.6%

top 12.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ruby-lang Rdoc Canonical Ubuntu Linux Ruby-lang Ruby

Timeline

PublishedMar 1

Latest updateJul 18

Description

darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶NVDruby-lang/rdoc2.3.0 — 3.12+1

▶RubyGemsruby-lang/rdoc2.3.0 — 3.12.1

▶NVDruby-lang/ruby6 versions+5

Also affects: Ubuntu Linux 12.04, 12.10

🔴Vulnerability Details

OSV

RDoc contains XSS vulnerability↗2017-10-24

▶

GHSA

RDoc contains XSS vulnerability↗2017-10-24

▶

CVEList

CVE-2013-0256: darkfish↗2013-03-01

▶

📋Vendor Advisories

Ubuntu

Ruby vulnerabilities↗2013-02-21

▶

Red Hat

rubygem-rdoc: Cross-site scripting in the documentation created by Darkfish Rdoc HTML generator / template↗2013-02-06

▶

💬Community

HackerOne

XSS exploit of RDoc documentation generated by rdoc (CVE-2013-0256)↗2023-07-18

▶

HackerOne

XSS exploit of RDoc documentation generated by rdoc↗2023-07-18

▶

Bugzilla

CVE-2013-0256 rubygem-rdoc (2.3.0 <= X <= 3.12): Cross-site scripting in the documentation created by Darkfish Rdoc HTML generator / template [fedora-all]↗2013-02-06

▶

Bugzilla

CVE-2013-0256 rubygem-rdoc: Cross-site scripting in the documentation created by Darkfish Rdoc HTML generator / template↗2013-02-05

▶