CVE-2012-6684

NameCVE-2012-6684
DescriptionCross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9 for Ruby and earlier allows remote attackers to inject arbitrary web script or HTML via a javascript: URI.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-167-1, DSA-3168-1
NVD severitymedium (attack range: remote)
Debian Bugs774748

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-redcloth (PTS)wheezy, wheezy (security)4.2.9-2+deb7u2fixed
jessie4.2.9-4fixed
buster, sid, stretch4.3.2-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
redclothsource(unstable)(unfixed)medium
redclothsourcesqueeze4.2.2-1.1+deb6u1mediumDLA-167-1
ruby-redclothsource(unstable)4.2.9-4medium774748
ruby-redclothsourcewheezy4.2.9-2+deb7u2mediumDSA-3168-1

Notes

http://co3k.org/blog/redcloth-unfixed-xss-en

Search for package or bug name: Reporting problems