Medium severity6.1NVD Advisory· Published Nov 13, 2017· Updated May 13, 2026

CVE-2017-16792

Description

Stored cross-site scripting (XSS) vulnerability in "geminabox" (Gem in a Box) before 0.13.10 allows attackers to inject arbitrary web script via the "homepage" value of a ".gemspec" file, related to views/gem.erb and views/index.erb.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
geminaboxRubyGems	< 0.13.10	0.13.10

Affected products

Geminabox Project/Geminabox
cpe:2.3:a:geminabox_project:geminabox:*:*:*:*:*:ruby:*:*
Range: <0.13.10

Patches

f8429a9e3646

Fix CVE-2017-16792 - Stored XSS

https://github.com/geminabox/geminaboxsonotsNov 11, 2017via ghsa

commit

3 files changed · +11 −2

lib/geminabox/server.rb+9 −0 modified

@@ -307,6 +307,15 @@ def combined_gem_list
     end
 
     helpers do
+      def href(text)
+        escaped_text = Rack::Utils.escape_html(text)
+        if escaped_text.start_with?('http://') || escaped_text.start_with?('https://')
+          escaped_text
+        else
+          '#'
+        end
+      end
+
       def h(text)
         Rack::Utils.escape_html(text)
       end

views/gem.erb+1 −1 modified

@@ -27,7 +27,7 @@
           <%= spec.description %>
           <br/>
           <span class="author">– <%= spec.authors.map do |author|
-            "<a href='#{h(spec.homepage)}'>#{author}</a>"
+            "<a href='#{href(spec.homepage)}'>#{author}</a>"
           end.join(', ') %></span>
         <% end %>
         </p>

views/index.erb+1 −1 modified

@@ -46,7 +46,7 @@
               <%= spec.description %>
               <br/>
               <span class="author">– <%= spec.authors.map do |author|
-                "<a href='#{h(spec.homepage)}'>#{author}</a>"
+                "<a href='#{href(spec.homepage)}'>#{author}</a>"
               end.join(', ') %></span>
             <% end %>
           </p>

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-653m-r33x-39ffghsaADVISORY
github.com/geminabox/geminabox/blob/master/CHANGELOG.mdnvdRelease NotesThird Party AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2017-16792ghsaADVISORY
github.com/geminabox/geminabox/commit/f8429a9e364658459add170e4ebc7a5d3b4759e7nvdIssue TrackingWEB
rubygems.org/gems/geminabox/versions/0.13.10nvdProductWEB

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000