RDoc 2.3.0 through 3.12 XSS Exploit

Metadata

medium
4.3
rdoc
CVE-2013-0256
osvdb.org
2013-02-06
2017-06-16 19:02
CVE-2013-0256 ruby1.8
CVE-2013-0256 ruby1.9.1
CVE-2013-0256
2017-04-01 19:10
2017-01-05 20:15

Description

Doc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases
up to rdoc 4.0.0.preview2.1 are vulnerable to an XSS exploit. This exploit
may lead to cookie disclosure to third parties.

The exploit exists in darkfish.js which is copied from the RDoc install
location to the generated documentation.

RDoc is a static documentation generation tool. Patching the library itself
is insufficient to correct this exploit.

This exploit was discovered by Evgeny Ermakov .

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Package Patched in Unaffected in
rdoc ~> 3.9.5,~> 3.12.1,>= 4.0 None