Bug 912212 (CVE-2012-6684) - VUL-0: CVE-2012-6684: rubygem-RedCloth: XSS vulnerability
Summary: VUL-0: CVE-2012-6684: rubygem-RedCloth: XSS vulnerability
Status: RESOLVED FIXED
Alias: CVE-2012-6684
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.2
: P3 - Medium : Normal
Target Milestone: ---
Assignee: craig gardner
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/112106/
Whiteboard: CVSSv2:NVD:CVE-2012-6684:4.3:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-08 10:18 UTC by Victor Pereira
Modified: 2019-05-01 16:38 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2015-01-08 10:18:44 UTC 
CVE-2012-6684 

Cross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9 for Ruby
and earlier allows remote attackers to inject arbitrary web script or HTML via a
javascript: URI.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1179870
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6684
https://gist.github.com/co3k/75b3cb416c342aa1414c
http://seclists.org/fulldisclosure/2014/Dec/50
http://jgarber.lighthouseapp.com/projects/13054-redcloth/tickets/243-xss
http://co3k.org/blog/redcloth-unfixed-xss-en
Comment 1 Swamp Workflow Management 2015-01-08 23:00:23 UTC 
bugbot adjusting priority
Comment 2 Marcus Rückert 2015-06-15 17:11:21 UTC 
obs MR #312139
Comment 3 Marcus Rückert 2015-06-15 17:17:24 UTC 
not on any SLE product. back to security team
Comment 4 Marcus Rückert 2015-06-15 17:22:55 UTC 
Jordi just told me that Studio is using the gem as well. So the ball goes to your team next.

You can find the patch in the OBS maintenance request.
Comment 5 Johannes Segitz 2017-08-04 10:34:08 UTC 
fixed in current openSUSE versions. If there's something to do for you on Studio please reopen. According to the channel date we don't use this anywhere