CVE-2017-1002201 (GCVE-0-2017-1002201)

Vulnerability from cvelistv5 – Published: 2019-10-15 17:35 – Updated: 2024-08-05 22:08
VLAI?
Summary
In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code.
Severity ?
No CVSS data available.
CWE
  • Cross-site Scripting (XSS)
Assigner
dwf
References
Impacted products
Vendor Product Version
http://haml.info/ haml Affected: All versions prior to version 5.0.0.beta.2
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T22:08:11.499Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://snyk.io/vuln/SNYK-RUBY-HAML-20362"
          },
          {
            "name": "[debian-lts-announce] 20191110 [SECURITY] [DLA 1986-1] ruby-haml security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00007.html"
          },
          {
            "name": "GLSA-202007-27",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202007-27"
          },
          {
            "name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2864-1] ruby-haml security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "haml",
          "vendor": "http://haml.info/",
          "versions": [
            {
              "status": "affected",
              "version": "All versions prior to version 5.0.0.beta.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like \u003c \u003e \" \u0027 must be escaped properly. In this case, the \u0027 character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cross-site Scripting (XSS)",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-12-29T14:06:09.000Z",
        "orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
        "shortName": "dwf"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://snyk.io/vuln/SNYK-RUBY-HAML-20362"
        },
        {
          "name": "[debian-lts-announce] 20191110 [SECURITY] [DLA 1986-1] ruby-haml security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00007.html"
        },
        {
          "name": "GLSA-202007-27",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202007-27"
        },
        {
          "name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2864-1] ruby-haml security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00028.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve-assign@distributedweaknessfiling.org",
          "ID": "CVE-2017-1002201",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "haml",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions prior to version 5.0.0.beta.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "http://haml.info/"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like \u003c \u003e \" \u0027 must be escaped properly. In this case, the \u0027 character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Cross-site Scripting (XSS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2",
              "refsource": "MISC",
              "url": "https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2"
            },
            {
              "name": "https://snyk.io/vuln/SNYK-RUBY-HAML-20362",
              "refsource": "CONFIRM",
              "url": "https://snyk.io/vuln/SNYK-RUBY-HAML-20362"
            },
            {
              "name": "[debian-lts-announce] 20191110 [SECURITY] [DLA 1986-1] ruby-haml security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00007.html"
            },
            {
              "name": "GLSA-202007-27",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202007-27"
            },
            {
              "name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2864-1] ruby-haml security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00028.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
    "assignerShortName": "dwf",
    "cveId": "CVE-2017-1002201",
    "datePublished": "2019-10-15T17:35:57.000Z",
    "dateReserved": "2019-10-15T00:00:00.000Z",
    "dateUpdated": "2024-08-05T22:08:11.499Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.