6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2017-16833

GHSA ID

GHSA-x7p2-x2j6-mwhr

EPSS Score

0.5516%

CWE

CWE-79

Published

11/29/2017

Updated

8/29/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-16833

CVE-2017-16833: Gemirro Stored XSS in Gemspec "homepage" value

Stored cross-site scripting (XSS) vulnerability in Gemirro before 0.16.0 allows attackers to inject arbitrary web script via a crafted javascript: URL in the "homepage" value of a ".gemspec" file. A ".gemspec" file must be created with a JavaScript URL in the homepage value. This can be used to build a gem for upload to the Gemirro server, in order to achieve stored XSS via the author name hyperlink.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2017-16833

GHSA ID

GHSA-x7p2-x2j6-mwhr

EPSS Score

0.5516%

CWE

CWE-79

Published

11/29/2017

Updated

8/29/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
gemirro	rubygems	< 0.16.0	0.16.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from two key points:

The helpers#escape method (in server.rb) performed HTML entity encoding but didn't validate/escape URL schemes. This allowed 'javascript:' URLs to persist.
The gem.erb template directly injected spec.homepage into href attributes after HTML-escaping, which is insufficient for URL context XSS prevention. The patch introduced URI parsing/escaping via a new homepage helper method, addressing both the lack of URL scheme validation and context-aware escaping.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Stor** *ross-sit* s*riptin* (XSS) vuln*r**ility in **mirro ***or* *.**.* *llows *tt**k*rs to inj**t *r*itr*ry w** s*ript vi* * *r**t** j*v*s*ript: URL in t** "*om*p***" v*lu* o* * ".**msp**" *il*. * ".**msp**" *il* must ** *r**t** wit* * J*v*S*ript U

Reasoning

T** vuln*r**ility st*mm** *rom two k*y points: *. T** **lp*rs#*s**p* m*t*o* (in s*rv*r.r*) p*r*orm** *TML *ntity *n*o*in* *ut *i*n't v*li**t*/*s**p* URL s***m*s. T*is *llow** 'j*v*s*ript:' URLs to p*rsist. *. T** **m.*r* t*mpl*t* *ir**tly inj**t** sp

6.1

Basic Information

Concerned about an active attack path?

CVE-2017-16833: Gemirro Stored XSS in Gemspec "homepage" value

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI