Miggo Logo

CVE-2017-16792:
Geminabox contains Cross-site Scripting

6.1

CVSS Score

Basic Information

EPSS Score
-
Published
11/29/2017
Updated
3/14/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
geminaboxrubygems< 0.13.100.13.10

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from using the h helper function (which only performs HTML escaping) to sanitize the homepage value in views/gem.erb and views/index.erb. While h escapes HTML characters, it does not validate URL schemes, allowing malicious inputs like javascript:alert(1) to persist. The fix introduced a new href helper that enforces http:///https:// schemes, replacing unsafe values. The h function itself is not inherently vulnerable but was misapplied in this context, making its usage in href attributes the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Stor** *ross-sit* s*riptin* (XSS) vuln*r**ility in "**min**ox" (**m in * *ox) ***or* *.**.** *llows *tt**k*rs to inj**t *r*itr*ry w** s*ript vi* t** "*om*p***" v*lu* o* * ".**msp**" *il*, r*l*t** to vi*ws/**m.*r* *n* vi*ws/in**x.*r*.

Reasoning

T** vuln*r**ility st*mm** *rom usin* t** `*` **lp*r *un*tion (w*i** only p*r*orms *TML *s**pin*) to s*nitiz* t** `*om*p***` v*lu* in `vi*ws/**m.*r*` *n* `vi*ws/in**x.*r*`. W*il* `*` *s**p*s *TML ***r**t*rs, it *o*s not v*li**t* URL s***m*s, *llowin*