Description
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server. This vulnerability appears to have been fixed in 2.7.6.
Remediation
References
Related Vulnerabilities
WordPress Plugin The Guardian News Feed Cross-Site Request Forgery (0.4)
WordPress Plugin Elementor Website Builder Security Bypass (2.9.5)
WordPress Plugin Unite Gallery Lite Multiple Vulnerabilities (1.4.6)
IBM RTC Improper Restriction of XML External Entity Reference Vulnerability (CVE-2016-9707)
WordPress Plugin Feedify-Web Push Notifications Cross-Site Scripting (2.1.8)