Moderate severityNVD Advisory· Published Mar 1, 2013· Updated Apr 29, 2026

CVE-2013-0256

Description

darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
rdocRubyGems	>= 2.3.0, < 3.12.1	3.12.1

Affected products

Ruby Lang/Rdoc2 versions
cpe:2.3:a:ruby-lang:rdoc:4.0.0:preview2:*:*:*:ruby:*:*+ 1 more
- cpe:2.3:a:ruby-lang:rdoc:4.0.0:preview2:*:*:*:ruby:*:*
- cpe:2.3:a:ruby-lang:rdoc:*:*:*:*:*:ruby:*:*range: >=2.3.0,<3.12
Ruby Lang/Ruby13 versions
cpe:2.3:a:ruby-lang:ruby:1.9:*:*:*:*:*:*:*+ 12 more
- cpe:2.3:a:ruby-lang:ruby:1.9:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:1.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:1.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:1.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:1.9.3:p0:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:1.9.3:p125:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:1.9.3:p194:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:1.9.3:p286:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:1.9.3:p383:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.0.0:rc2:*:*:*:*:*:*
Canonical (company)/Ubuntu Linux2 versions
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*+ 1 more
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*

Patches

ffa87887ee05

https://github.com/rdoc/rdocvia ghsa

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

blog.segment7.net/2013/02/06/rdoc-xss-vulnerability-cve-2013-0256-releases-3-9-5-3-12-1-4-0-0-rc-2nvdThird Party Advisory
lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.htmlnvdMailing ListThird Party AdvisoryWEB
lists.opensuse.org/opensuse-updates/2013-02/msg00048.htmlnvdMailing ListThird Party AdvisoryWEB
rhn.redhat.com/errata/RHSA-2013-0548.htmlnvdThird Party Advisory
rhn.redhat.com/errata/RHSA-2013-0686.htmlnvdThird Party AdvisoryWEB
rhn.redhat.com/errata/RHSA-2013-0701.htmlnvdThird Party AdvisoryWEB
rhn.redhat.com/errata/RHSA-2013-0728.htmlnvdThird Party AdvisoryWEB
secunia.com/advisories/52774nvdThird Party Advisory
www.ruby-lang.org/en/news/2013/02/06/rdoc-xss-cve-2013-0256/nvdVendor Advisory
www.ubuntu.com/usn/USN-1733-1nvdThird Party AdvisoryWEB
github.com/advisories/GHSA-v2r9-c84j-v7xmghsaADVISORY
github.com/rdoc/rdoc/commit/ffa87887ee0517793df7541629a470e331f9fe60nvdThird Party AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2013-0256ghsaADVISORY
www.ruby-lang.org/en/news/2013/02/06/rdoc-xss-cve-2013-0256ghsaWEB
bugzilla.redhat.com/show_bug.cginvdIssue TrackingWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/rdoc/CVE-2013-0256.ymlghsaWEB
web.archive.org/web/20130402173730/http://blog.segment7.net:80/2013/02/06/rdoc-xss-vulnerability-cve-2013-0256-releases-3-9-5-3-12-1-4-0-0-rc-2ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.002
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000