PT-2020-16179 · Ruby+1 · Gon+1
Published
2020-09-23
·
Updated
2023-01-31
·
CVE-2020-25739
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
gon versions prior to 6.4.0
Description
An issue was discovered in the gon gem for Ruby, where MultiJson does not honor the
escape mode parameter to escape fields as an XSS protection mechanism. To mitigate, json dumper.rb in gon now does escaping for XSS by default without relying on MultiJson.Recommendations
For versions prior to 6.4.0, update to version 6.4.0 or later to ensure that
json dumper.rb in gon escapes fields for XSS protection by default.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ubuntu
Gon