CVE-2017-16792:
Geminabox contains Cross-site Scripting
6.1
CVSS ScoreBasic Information
CVE ID
GHSA ID
EPSS Score
-
CWE
Published
11/29/2017
Updated
3/14/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
geminabox | rubygems | < 0.13.10 | 0.13.10 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from using the h
helper function (which only performs HTML escaping) to sanitize the homepage
value in views/gem.erb
and views/index.erb
. While h
escapes HTML characters, it does not validate URL schemes, allowing malicious inputs like javascript:alert(1)
to persist. The fix introduced a new href
helper that enforces http://
/https://
schemes, replacing unsafe values. The h
function itself is not inherently vulnerable but was misapplied in this context, making its usage in href attributes the root cause.