CVE-2020-25739 — Cross-site Scripting in Project GON

CWE-79 — Cross-site Scripting7 documents6 sources

Severity

6.1MEDIUMNVD

EPSS

0.8%

top 26.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GON Project GON Canonical Ubuntu Linux Debian Linux

Timeline

PublishedSep 23

Latest updateApr 30

Description

An issue was discovered in the gon gem before gon-6.4.0 for Ruby. MultiJson does not honor the escape_mode parameter to escape fields as an XSS protection mechanism. To mitigate, json_dumper.rb in gon now does escaping for XSS by default without relying on MultiJson.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

▶NVDgon_project/gon< 6.4.0

Also affects: Debian Linux 9.0, Ubuntu Linux 18.04

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Gon gem lack of escaping certain input when outputting as JSON↗2021-04-30

▶

GHSA

Gon gem lack of escaping certain input when outputting as JSON↗2021-04-30

▶

CVEList

CVE-2020-25739: An issue was discovered in the gon gem before gon-6↗2020-09-23

▶

OSV

CVE-2020-25739: An issue was discovered in the gon gem before gon-6↗2020-09-23

▶

📋Vendor Advisories

Ubuntu

Gon gem vulnerability↗2020-09-30

▶

Debian

CVE-2020-25739: ruby-gon - An issue was discovered in the gon gem before gon-6.4.0 for Ruby. MultiJson does...↗2020

▶