{"id":"GHSA-r23g-3qw4-gfh2","summary":"RedCloth Cross-site Scripting vulnerability","details":"Cross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9 for Ruby and earlier allows remote attackers to inject arbitrary web script or HTML via a `javascript:` URI.","aliases":["CVE-2012-6684"],"modified":"2024-12-03T06:15:26.753053Z","published":"2017-10-24T18:33:37Z","database_specific":{"github_reviewed":true,"cwe_ids":["CWE-79"],"github_reviewed_at":"2020-06-16T21:53:16Z","severity":"MODERATE","nvd_published_at":"2015-01-08T01:59:01Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2012-6684"},{"type":"WEB","url":"https://co3k.org/blog/redcloth-unfixed-xss-en"},{"type":"WEB","url":"https://gist.github.com/co3k/75b3cb416c342aa1414c"},{"type":"WEB","url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/RedCloth/CVE-2012-6684.yml"},{"type":"WEB","url":"https://web.archive.org/web/20150128115714/http://jgarber.lighthouseapp.com/projects/13054-redcloth/tickets/243-xss"},{"type":"WEB","url":"http://seclists.org/fulldisclosure/2014/Dec/50"},{"type":"WEB","url":"http://www.debian.org/security/2015/dsa-3168"}],"affected":[{"package":{"name":"RedCloth","ecosystem":"RubyGems","purl":"pkg:gem/RedCloth"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.3.0"}]}],"versions":["3.0.0","3.0.1","3.0.2","3.0.3","3.0.4","4.0.0","4.0.1","4.0.2","4.0.3","4.0.4","4.1.0","4.1.1","4.1.9","4.2.0","4.2.1","4.2.2","4.2.3","4.2.4","4.2.4.pre1","4.2.4.pre2","4.2.4.pre3","4.2.5","4.2.7","4.2.8","4.2.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-r23g-3qw4-gfh2/GHSA-r23g-3qw4-gfh2.json"}}],"schema_version":"1.7.3"}