svn commit: r536871 - head/security/vuxml
Sunpoet Po-Chuan Hsieh
sunpoet at FreeBSD.org
Fri May 29 01:59:50 UTC 2020
Author: sunpoet
Date: Fri May 29 01:59:45 2020
New Revision: 536871
URL: https://svnweb.freebsd.org/changeset/ports/536871
Log:
Document rubygem-kaminari-core vulnerability
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Fri May 29 01:59:39 2020 (r536870)
+++ head/security/vuxml/vuln.xml Fri May 29 01:59:45 2020 (r536871)
@@ -58,6 +58,43 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="4e6875a2-a126-11ea-b385-08002728f74c">
+ <topic>kaminari -- potential XSS vulnerability</topic>
+ <affects>
+ <package>
+ <name>rubygem-kaminari-core</name>
+ <range><lt>1.2.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Kaminari Security Advisories:</p>
+ <blockquote cite="https://github.com/kaminari/kaminari/security/advisories/GHSA-r5jw-62xg-j433">
+ <p>There was a vulnerability in versions of Kaminari that would allow an
+ attacker to inject arbitrary code into pages with pagination links.</p>
+ <p>For example, an attacker could craft pagination links that link to
+ other domain or host:
+ https://example.com/posts?page=4 original_script_name=https://another-host.example.com</p>
+ <p>In addition, an attacker could also craft pagination links that include
+ JavaScript code that runs when a user clicks the link:
+ https://example.com/posts?page=4 original_script_name=javascript:alert(42)%3b//</p>
+ <p>The 1.2.1 gem including the patch has already been released.<p>
+ <p>All past released versions are affected by this vulnerability.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/kaminari/kaminari/security/advisories/GHSA-r5jw-62xg-j433</url>
+ <url>https://github.com/kaminari/kaminari/blob/master/CHANGELOG.md#121</url>
+ <url>https://github.com/kaminari/kaminari/pull/1020</url>
+ <cvename>CVE-2020-11082</cvename>
+ </references>
+ <dates>
+ <discovery>2020-04-22</discovery>
+ <entry>2020-05-28</entry>
+ </dates>
+ </vuln>
+
<vuln vid="28481349-7e20-4f80-ae1e-e6bf48d4f17c">
<topic>Sane -- Multiple Vulnerabilities</topic>
<affects>
More information about the svn-ports-head
mailing list