PT-2019-7861 · Ruby · Haml

K0Kubun

Published

2019-10-15

Updated

2022-04-05

CVE-2017-1002201

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions haml versions prior to 5.0.0.beta.2

Description The issue arises when user input is used to perform tasks on the server, and certain characters like <, >, ", and ' are not properly escaped. Specifically, the ' character was missed, allowing an attacker to manipulate the input and introduce additional attributes, potentially leading to code execution.

Recommendations For versions prior to 5.0.0.beta.2, update to version 5.0.0.beta.2 or later to resolve the issue. As a temporary workaround, consider properly escaping all user input to prevent the introduction of malicious attributes.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2017-1002201

DLA-1986-1

DLA-2864-1

GHSA-R53W-G4XM-3GC6

SNYK-RUBY-HAML-20362

SUSE-SU-2019:2932-1

SUSE-SU-2019:3270-1

SUSE-SU-2020:0640-1

Affected Products

Haml

PT-2019-7861 · Ruby · Haml

CVE-2017-1002201

Weakness Enumeration

Related Identifiers

Affected Products

References · 77