Cross-Site Scripting in Kaminari
Description
In Kaminari before 1.2.1, there is a vulnerability that would allow an attacker to inject arbitrary code into pages with pagination links. This has been fixed in 1.2.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2020-11082 is a code injection vulnerability in Kaminari <1.2.1 via unsanitized `original_script_name` parameter in pagination URLs.
Root
Cause
The vulnerability resides in the Kaminari pagination gem for Ruby web frameworks. The PARAM_KEY_EXCEPT_LIST constant in kaminari-core/lib/kaminari/helpers/tag.rb defines parameters that are filtered out from pagination URLs. In versions before 1.2.1, the list explicitly excluded :authenticity_token, :commit, :utf8, :_method, and :script_name [4]. The :original_script_name parameter was not included in this exclusion list, meaning it was not sanitized. An attacker could supply a crafted original_script_name value that, when passed through to the pagination link helper, would be rendered unescaped in the HTML output, leading to arbitrary code injection (e.g., XSS or other script injection) [1][4].
Exploitation
No authentication is required; the attack can be performed by any user who can control query parameters in a request that renders pagination links. The vulnerability is triggered when a web application using Kaminari includes the user-supplied original_script_name parameter in the pagination URLs generated for subsequent pages. An attacker simply appends &original_script_name=... with a malicious payload to the current page URL; the Kaminari helper will then reflect that payload into the pagination links without escaping [1][3]. The issue is present in all Kaminari versions prior to 1.2.1.
Impact
Successful exploitation allows an attacker to inject arbitrary JavaScript or other code into pagination links served to other users. This leads to typical XSS impacts: session theft, credential harvesting, arbitrary actions performed on behalf of the victim, and potential full compromise of the web application's client-side security. The CVSS score (version not specified in sources) is likely high because no authentication or special user interaction beyond following a link is required.
Mitigation
The fix was released in Kaminari version 1.2.1 [2][4]. The commit [4] adds :original_script_name to the PARAM_KEY_EXCEPT_LIST, ensuring the parameter is excluded from pagination link generation. Users are strongly advised to upgrade to 1.2.1 or later. If upgrade is not immediately possible, applications can mitigate by stripping the original_script_name parameter from incoming requests via web application firewall rules or custom middleware.
- GitHub - kaminari/kaminari: ⚡ A Scope & Engine based, clean, powerful, customizable and sophisticated paginator for Ruby webapps
- NVD - CVE-2020-11082
- ruby-advisory-db/gems/kaminari/CVE-2020-11082.yml at master · rubysec/ruby-advisory-db
- Blacklist "original_script_name" get param · kaminari/kaminari@8dd52a1
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
kaminariRubyGems | < 1.2.1 | 1.2.1 |
Affected products
2- kaminari/Kaminariv5Range: < 1.2.1
Patches
18dd52a1aed3dBlacklist "original_script_name" get param
1 file changed · +1 −1
kaminari-core/lib/kaminari/helpers/tags.rb+1 −1 modified@@ -2,7 +2,7 @@ module Kaminari module Helpers - PARAM_KEY_EXCEPT_LIST = [:authenticity_token, :commit, :utf8, :_method, :script_name].freeze + PARAM_KEY_EXCEPT_LIST = [:authenticity_token, :commit, :utf8, :_method, :script_name, :original_script_name].freeze # A tag stands for an HTML tag inside the paginator. # Basically, a tag has its own partial template file, so every tag can be
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-r5jw-62xg-j433ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-11082ghsaADVISORY
- www.debian.org/security/2021/dsa-5005ghsavendor-advisoryx_refsource_DEBIANWEB
- github.com/github/advisory-review/pull/1020ghsax_refsource_MISCWEB
- github.com/kaminari/kaminari/commit/8dd52a1aed3d2fa2835d836de23fc0d8c4ff5db8ghsax_refsource_MISCWEB
- github.com/kaminari/kaminari/security/advisories/GHSA-r5jw-62xg-j433ghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/kaminari/CVE-2020-11082.ymlghsaWEB
- lists.debian.org/debian-lts-announce/2021/09/msg00011.htmlghsamailing-listx_refsource_MLISTWEB
News mentions
0No linked articles in our index yet.