CVE-2020-11082

Published about 2 months ago
Category: Code Injection
Source: GitHub
Severity: Severe

Vulnerability in kaminari

Impact

There was a vulnerability in versions of Kaminari that would allow an attacker to inject arbitrary code into pages with pagination links.

For example, an attacker could craft pagination links that link to other domain or host: https://example.com/posts?page=4&original_script_name=https://another-host.example.com

In addition, an attacker could also craft pagination links that include JavaScript code that runs when a user clicks the link: https://example.com/posts?page=4&original_script_name=javascript:alert(42)%3b//

Releases

The 1.2.1 gem including the patch has already been released. All past released versions are affected by this vulnerability.

Workarounds

Application developers who can’t update the gem can workaround by overriding the PARAM_KEY_EXCEPT_LIST constant.

module Kaminari::Helpers
  PARAM_KEY_EXCEPT_LIST = [:authenticity_token, :commit, :utf8, :_method, :script_name, :original_script_name].freeze
end
CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 1.2.1

Unaffected Versions

n/a

References

n/a