CVE-2020-25739
Ubuntu Security Notice USN-4560-1
Severity Score
6.1
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
An issue was discovered in the gon gem before gon-6.4.0 for Ruby. MultiJson does not honor the escape_mode parameter to escape fields as an XSS protection mechanism. To mitigate, json_dumper.rb in gon now does escaping for XSS by default without relying on MultiJson.
Se detectó un problema en la gema gon versiones anteriores a gon-6.4.0 para Ruby. MultiJson, no respeta el parámetro escape_mode para escapar de los campos como mecanismo de protección XSS. Para mitigar, el archivo json_dumper.rb en gon ahora escapa para un ataque de tipo XSS por defecto sin depender de MultiJson
It was discovered that Gon gem did not properly escape certain input. An attacker could use this vulnerability to execute a cross-site scripting attack.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2020-09-17 CVE Reserved
- 2020-09-23 CVE Published
- 2024-08-04 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2020/09/msg00018.html | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/gazay/gon/commit/fe3c7b2191a992386dc9edd37de5447a4e809bc7 | 2023-01-31 |
| URL | Date | SRC |
|---|---|---|
| https://usn.ubuntu.com/4560-1 | 2023-01-31 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Gon Project Search vendor "Gon Project" | Gon Search vendor "Gon Project" for product "Gon" | < 6.4.0 Search vendor "Gon Project" for product "Gon" and version " < 6.4.0" | ruby |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04" | lts |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||