Miggo Logo

CVE-2017-16833: Gemirro Stored XSS in Gemspec "homepage" value

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.5516%
Published
11/29/2017
Updated
8/29/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
gemirrorubygems< 0.16.00.16.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from two key points:

  1. The helpers#escape method (in server.rb) performed HTML entity encoding but didn't validate/escape URL schemes. This allowed 'javascript:' URLs to persist.
  2. The gem.erb template directly injected spec.homepage into href attributes after HTML-escaping, which is insufficient for URL context XSS prevention. The patch introduced URI parsing/escaping via a new homepage helper method, addressing both the lack of URL scheme validation and context-aware escaping.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Stor** *ross-sit* s*riptin* (XSS) vuln*r**ility in **mirro ***or* *.**.* *llows *tt**k*rs to inj**t *r*itr*ry w** s*ript vi* * *r**t** j*v*s*ript: URL in t** "*om*p***" v*lu* o* * ".**msp**" *il*. * ".**msp**" *il* must ** *r**t** wit* * J*v*S*ript U

Reasoning

T** vuln*r**ility st*mm** *rom two k*y points: *. T** **lp*rs#*s**p* m*t*o* (in s*rv*r.r*) p*r*orm** *TML *ntity *n*o*in* *ut *i*n't v*li**t*/*s**p* URL s***m*s. T*is *llow** 'j*v*s*ript:' URLs to p*rsist. *. T** **m.*r* t*mpl*t* *ir**tly inj**t** sp