CVSS: 7.0EPSS: 0%CPEs: 5EXPL: 0CVE-2021-31799 – rubygem-rdoc: Command injection vulnerability in RDoc
https://notcve.org/view.php?id=CVE-2021-31799
In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename. En RDoc versiones 3.11 hasta 6.x versiones anteriores a 6.3.1, como se distribuye con Ruby versiones hasta 3.0.1, es posible ejecutar código arbitrario por medio de | y etiquetas en un nombre de archivo An operating system command injection flaw was found in RDoc. Using the rdoc command to generate documentation for a malicious Ruby source code could lead to execution of arbitrary commands with the privileges of the user running rdoc. • https://lists.debian.org/debian-lts-announce/2021/10/msg00009.html https://security-tracker.debian.org/tracker/CVE-2021-31799 https://security.gentoo.org/glsa/202401-05 https://security.netapp.com/advisory/ntap-20210902-0004 https://www.oracle.com/security-alerts/cpuapr2022.html https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc https://access.redhat.com/security/cve/CVE-2021-31799 https://bugzilla.redhat.com/show_bug.cgi?id=1980132 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.0EPSS: 0%CPEs: 17EXPL: 0CVE-2013-0256 – rubygem-rdoc: Cross-site scripting in the documentation created by Darkfish Rdoc HTML generator / template
https://notcve.org/view.php?id=CVE-2013-0256
darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL. darkfish.js de RDoc v2.3.0 hasta v3.12 y v4.x antes de v4.0.0.preview2.1, tal como se utiliza en Ruby, no se generó correctamente los documentos, que permite a atacantes remotos realizar ejecución de secuencias de comandos en sitios cruzados (XSS) a través de una URL manipulada. • http://blog.segment7.net/2013/02/06/rdoc-xss-vulnerability-cve-2013-0256-releases-3-9-5-3-12-1-4-0-0-rc-2 http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html http://lists.opensuse.org/opensuse-updates/2013-02/msg00048.html http://rhn.redhat.com/errata/RHSA-2013-0548.html http://rhn.redhat.com/errata/RHSA-2013-0686.html http://rhn.redhat.com/errata/RHSA-2013-0701.html http://rhn.redhat.com/errata/RHSA-2013-0728.html http://secunia.com/ • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •