QwikSec

Security Database

CVE

CWE

Training

CVE-2017-1002201

Published: Oct 15, 2019

Modified: Aug 5, 2024

PUBLISHED

Description

In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code.

Vendor	Product	Versions
http://haml.info/	haml	affected `All versions prior to version 5.0.0.beta.2`

References

https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2

x_refsource_MISC

https://snyk.io/vuln/SNYK-RUBY-HAML-20362

x_refsource_CONFIRM

[debian-lts-announce] 20191110 [SECURITY] [DLA 1986-1] ruby-haml security update

mailing-list

x_refsource_MLIST

vendor-advisory

x_refsource_GENTOO

[debian-lts-announce] 20211229 [SECURITY] [DLA 2864-1] ruby-haml security update

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.