geminabox 0.12.2

3 security vulnerabilities found in version 0.12.2

Gem in a Box vulnerable to Cross-site Request Forgery

high severity CVE-2017-14683
high severity CVE-2017-14683
Patched versions: >= 0.13.7

geminabox (aka Gem in a Box) before 0.13.7 has CSRF, as demonstrated by an unintended gem upload.

Stored XSS in "geminabox" via injection in Gemspec "homepage" value

medium severity CVE-2017-16792
medium severity CVE-2017-16792
Patched versions: >= 0.13.10

Stored cross-site scripting (XSS) vulnerability in "geminabox" (Gem in a Box) allows attackers to inject arbitrary web script via a crafted JavaScript URL in the "homepage" value of a ".gemspec" file.

A ".gemspec" file must be created with a JavaScript URL in the homepage value. This can be used to build a gem for upload to the Geminabox server, in order to achieve stored XSS via the gem hyperlink.

Gem in a Box vulnerable to Cross-site Scripting

medium severity CVE-2017-14506
medium severity CVE-2017-14506
Patched versions: >= 0.13.6

geminabox (aka Gem in a Box) before 0.13.6 is vulnerable to Cross-site Scripting (XSS), as demonstrated by uploading a gem file that has a crafted gem.homepage value in its .gemspec file.

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

No license issues detected.


This gem version has a license in the gemspec.

This gem version is available.


This gem version has not been yanked and is still available for usage.