forked from github/advisory-database
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
GHSA-g377-x8rg-c9mf GHSA-273c-fjw8-v2w8 GHSA-5m48-c37x-f792 GHSA-7298-w54j-q7wm GHSA-gmh3-x5w7-jg5m GHSA-pgp9-x83g-v8x8 GHSA-rm23-6mwv-8q9q GHSA-v3r8-6vfj-pppf GHSA-5m48-c37x-f792 GHSA-gmh3-x5w7-jg5m
- Loading branch information
1 parent
355e6dc
commit 63fbd39
Showing
10 changed files
with
403 additions
and
99 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
184 changes: 184 additions & 0 deletions
184
advisories/github-reviewed/2022/07/GHSA-5m48-c37x-f792/GHSA-5m48-c37x-f792.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,184 @@ | ||
{ | ||
"schema_version": "1.2.0", | ||
"id": "GHSA-5m48-c37x-f792", | ||
"modified": "2022-07-12T21:27:47Z", | ||
"published": "2022-07-01T00:01:11Z", | ||
"aliases": [ | ||
"CVE-2013-4170" | ||
], | ||
"summary": "Ember.js Potential XSS Exploit When Binding `tagName` to User-Supplied Data", | ||
"details": "In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, the `tagName` property of an `Ember.View` was inserted into such a string without being sanitized. This means that if an application assigns a view's `tagName` to user-supplied data, a specially-crafted payload could execute arbitrary JavaScript in the context of the current domain (\"XSS\"). This vulnerability only affects applications that assign or bind user-provided content to `tagName`.", | ||
"severity": [ | ||
{ | ||
"type": "CVSS_V3", | ||
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" | ||
} | ||
], | ||
"affected": [ | ||
{ | ||
"package": { | ||
"ecosystem": "RubyGems", | ||
"name": "ember-source" | ||
}, | ||
"ranges": [ | ||
{ | ||
"type": "ECOSYSTEM", | ||
"events": [ | ||
{ | ||
"introduced": "0" | ||
}, | ||
{ | ||
"fixed": "1.0.0.rc1.1" | ||
} | ||
] | ||
} | ||
], | ||
"database_specific": { | ||
"last_known_affected_version_range": "<= 1.0.0.rc1.0" | ||
} | ||
}, | ||
{ | ||
"package": { | ||
"ecosystem": "RubyGems", | ||
"name": "ember-source" | ||
}, | ||
"ranges": [ | ||
{ | ||
"type": "ECOSYSTEM", | ||
"events": [ | ||
{ | ||
"introduced": "1.0.0.rc2.0" | ||
}, | ||
{ | ||
"fixed": "1.0.0.rc2.1" | ||
} | ||
] | ||
} | ||
], | ||
"versions": [ | ||
"1.0.0.rc2.0" | ||
] | ||
}, | ||
{ | ||
"package": { | ||
"ecosystem": "RubyGems", | ||
"name": "ember-source" | ||
}, | ||
"ranges": [ | ||
{ | ||
"type": "ECOSYSTEM", | ||
"events": [ | ||
{ | ||
"introduced": "1.0.0.rc3.0" | ||
}, | ||
{ | ||
"fixed": "1.0.0.rc3.1" | ||
} | ||
] | ||
} | ||
], | ||
"versions": [ | ||
"1.0.0.rc3.0" | ||
] | ||
}, | ||
{ | ||
"package": { | ||
"ecosystem": "RubyGems", | ||
"name": "ember-source" | ||
}, | ||
"ranges": [ | ||
{ | ||
"type": "ECOSYSTEM", | ||
"events": [ | ||
{ | ||
"introduced": "1.0.0.rc4.0" | ||
}, | ||
{ | ||
"fixed": "1.0.0.rc4.1" | ||
} | ||
] | ||
} | ||
], | ||
"versions": [ | ||
"1.0.0.rc4.0" | ||
] | ||
}, | ||
{ | ||
"package": { | ||
"ecosystem": "RubyGems", | ||
"name": "ember-source" | ||
}, | ||
"ranges": [ | ||
{ | ||
"type": "ECOSYSTEM", | ||
"events": [ | ||
{ | ||
"introduced": "1.0.0.rc5.0" | ||
}, | ||
{ | ||
"fixed": "1.0.0.rc5.1" | ||
} | ||
] | ||
} | ||
], | ||
"versions": [ | ||
"1.0.0.rc5.0" | ||
] | ||
}, | ||
{ | ||
"package": { | ||
"ecosystem": "RubyGems", | ||
"name": "ember-source" | ||
}, | ||
"ranges": [ | ||
{ | ||
"type": "ECOSYSTEM", | ||
"events": [ | ||
{ | ||
"introduced": "1.0.0.rc6.0" | ||
}, | ||
{ | ||
"fixed": "1.0.0.rc6.1" | ||
} | ||
] | ||
} | ||
], | ||
"versions": [ | ||
"1.0.0.rc6.0" | ||
] | ||
} | ||
], | ||
"references": [ | ||
{ | ||
"type": "ADVISORY", | ||
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4170" | ||
}, | ||
{ | ||
"type": "WEB", | ||
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ember-source/CVE-2013-4170.yml" | ||
}, | ||
{ | ||
"type": "WEB", | ||
"url": "https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM" | ||
}, | ||
{ | ||
"type": "WEB", | ||
"url": "https://groups.google.com/g/ember-security/c/dokLVwwxAdM" | ||
}, | ||
{ | ||
"type": "WEB", | ||
"url": "https://rubysec.com/advisories/CVE-2013-4170/" | ||
}, | ||
{ | ||
"type": "WEB", | ||
"url": "https://security.snyk.io/vuln/SNYK-RUBY-EMBERSOURCE-20102" | ||
} | ||
], | ||
"database_specific": { | ||
"cwe_ids": [ | ||
"CWE-79" | ||
], | ||
"severity": "MODERATE", | ||
"github_reviewed": true | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.