6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-36624

GHSA ID

GHSA-74hc-57m5-83ch

EPSS Score

0.40139%

CWE

CWE-266

Published

12/22/2022

Updated

2/2/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-36624

CVE-2020-36624: text_helpers uses web link to untrusted target with window.opener access

A vulnerability was found in ahorner text-helpers 1.1.0/1.1.1. This vulnerability affects unknown code of the file lib/text_helpers/translation.rb. The manipulation of the argument link leads to use of web link to untrusted target with window.opener access. The attack can be initiated remotely. Upgrading to version 1.2.0 can address this issue. The name of the patch is 184b60ded0e43c985788582aca2d1e746f9405a3. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216520.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-36624

GHSA ID

GHSA-74hc-57m5-83ch

EPSS Score

0.40139%

CWE

CWE-266

Published

12/22/2022

Updated

2/2/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
text_helpers	rubygems	>= 1.1.0, < 1.2.0	1.2.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The commit diff shows the vulnerable link function in translation.rb added target='_blank' without noopener protection. This matches CWE-1022's description of unsafe window.opener access. The patch explicitly adds rel='noopener' to mitigate this, and tests were updated to verify this protection. The function's role in generating links with external targets directly correlates with the vulnerability description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in **orn*r t*xt-**lp*rs *.*.*/*.*.*. T*is vuln*r**ility *****ts unknown *o** o* t** *il* li*/t*xt_**lp*rs/tr*nsl*tion.r*. T** m*nipul*tion o* t** *r*um*nt link l***s to us* o* w** link to untrust** t*r**t wit* win*ow.op*n*r

Reasoning

T** *ommit *i** s*ows t** vuln*r**l* link *un*tion in `tr*nsl*tion.r*` ***** t*r**t='_*l*nk' wit*out `noop*n*r` prot**tion. T*is m*t***s *W*-****'s **s*ription o* uns*** `win*ow.op*n*r` ****ss. T** p*t** *xpli*itly ***s r*l='noop*n*r' to miti**t* t*i

6.1

Basic Information

Concerned about an active attack path?

CVE-2020-36624: text_helpers uses web link to untrusted target with window.opener access

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI