CVE-2012-6684 — ruby-redcloth - security update

Description

Cross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9 for Ruby and earlier allows remote attackers to inject arbitrary web script or HTML via a javascript: URI.

How to fix CVE-2012-6684

To remediate CVE-2012-6684, upgrade the affected package to a fixed version below.

Debian/redcloth—upgrade to 4.2.2-1.1+deb6u1 or later
Debian/ruby-redcloth—upgrade to 4.2.9-4 or later
Debian/ruby-redcloth—upgrade to 4.2.9-2+deb7u2 or later
—upgrade to 4.3.0 or later

Is CVE-2012-6684 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 4.2.2-1.1+deb6u1
from 0, < 4.2.9-4
from 0, < 4.2.9-2+deb7u2
from 0, < 4.3.0

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-6684
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2012-6684
WEBco3k.org/blog/redcloth-unfixed-xss-en
WEBseclists.org/fulldisclosure/2014/Dec/50
WEB