CVE-2021-25974

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in gem/publify_core

Identifiers

CVE-2021-25974

Package Slug

gem/publify_core

Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

Publify is vulnerable to stored XSS. A user with a “publisher” role is able to inject and execute arbitrary JavaScript code while creating a page/article.

Affected Versions

All versions starting from 8.0 up to 9.2.4

Solution

Upgrade to version 9.2.5 or above.

Last Modified

2021-11-15

source