CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2017-1002201
https://notcve.org/view.php?id=CVE-2017-1002201
In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code. En haml versiones anteriores a la versión 5.0.0.beta.2, cuando se usa la entrada del usuario para realizar tareas en el servidor, los caracteres como ( ) " ' necesitan escaparse apropiadamente. En este caso, el carácter ' se perdió. • https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2 https://lists.debian.org/debian-lts-announce/2019/11/msg00007.html https://lists.debian.org/debian-lts-announce/2021/12/msg00028.html https://security.gentoo.org/glsa/202007-27 https://snyk.io/vuln/SNYK-RUBY-HAML-20362 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •