Miggo Logo

CVE-2020-36624: text_helpers uses web link to untrusted target with window.opener access

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.40139%
Published
12/22/2022
Updated
2/2/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
text_helpersrubygems>= 1.1.0, < 1.2.01.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows the vulnerable link function in translation.rb added target='_blank' without noopener protection. This matches CWE-1022's description of unsafe window.opener access. The patch explicitly adds rel='noopener' to mitigate this, and tests were updated to verify this protection. The function's role in generating links with external targets directly correlates with the vulnerability description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in **orn*r t*xt-**lp*rs *.*.*/*.*.*. T*is vuln*r**ility *****ts unknown *o** o* t** *il* li*/t*xt_**lp*rs/tr*nsl*tion.r*. T** m*nipul*tion o* t** *r*um*nt link l***s to us* o* w** link to untrust** t*r**t wit* win*ow.op*n*r

Reasoning

T** *ommit *i** s*ows t** vuln*r**l* link *un*tion in `tr*nsl*tion.r*` ***** t*r**t='_*l*nk' wit*out `noop*n*r` prot**tion. T*is m*t***s *W*-****'s **s*ription o* uns*** `win*ow.op*n*r` ****ss. T** p*t** *xpli*itly ***s r*l='noop*n*r' to miti**t* t*i