CVE-2012-6684: Textile Link Parsing XSS

January 7, 2015 (updated September 2, 2016)

RedCloth Gem for Ruby contains a flaw that allows a cross-site scripting (XSS) attack. This flaw exists because the program does not validate input when parsing textile links before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

References

co3k.org/blog/redcloth-unfixed-xss-en
bugs.debian.org/774748
github.com/jgarber/redcloth/commit/2f6dab4d6aea5cee778d2f37a135637fe3f1573c

Detect and mitigate CVE-2012-6684 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →