mapbox-rails 1.0.2

2 security vulnerabilities found in version 1.0.2

mapbox-rails Content Injection via TileJSON Name

medium severity CVE-2017-1000043
medium severity CVE-2017-1000043
Patched versions: ~> 1.6.6, >= 2.2.4

Mapbox.js versions 1.x prior to 1.6.6 and 2.x prior to 2.2.4 are vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios.

If you use L.mapbox.map and L.mapbox.shareControl it is possible for a malicious user with control over the TileJSON content to inject script content into the name value of the TileJSON. After clicking on the share control, the malicious code will execute in the context of the page using Mapbox.js.

Such usage is uncommon. L.mapbox.shareControl is not automatically added to Mapbox.js maps and must be explicitly added. The following usage scenarios are not vulnerable:

  • the map does not use a share control (L.mapbox.sharecontrol)
  • only trusted TileJSON content is loaded

mapbox-rails Content Injection via TileJSON attribute

medium severity CVE-2017-1000042
medium severity CVE-2017-1000042
Patched versions: ~> 1.6.5, >= 2.1.7

Mapbox.js versions 1.x prior to 1.6.5 and 2.x prior to 2.1.7 are vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios.

If you use L.mapbox.map or L.mapbox.tileLayer to load untrusted TileJSON content from a non-Mapbox URL, it is possible for a malicious user with control over the TileJSON content to inject script content into the "attribution" value of the TileJSON which will be executed in the context of the page using Mapbox.js.

Such usage is uncommon. The following usage scenarios are not vulnerable:

  • only trusted TileJSON content is loaded

  • TileJSON content comes only from mapbox.com URLs

  • a Mapbox map ID is supplied, rather than a TileJSON URL

  • CWE: 79 - Improper Neutralization of Input During Web Page Generation (XSS)

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

No license issues detected.


This gem version has a license in the gemspec.

This gem version is available.


This gem version has not been yanked and is still available for usage.