VYPR
← All advisories
Moderate severityNVD Advisory· Published Jul 15, 2022· Updated Aug 4, 2024

CVE-2020-35305

CVE-2020-35305

Description

Cross site scripting (XSS) in gollum 5.0 to 5.1.2 via the filename parameter to the 'New Page' dialog.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Gollum wiki versions 5.0 to 5.1.2 contain a stored XSS vulnerability via the filename parameter in the 'New Page' dialog.

Vulnerability

Analysis

CVE-2020-35305 describes a stored cross-site scripting (XSS) vulnerability in the Gollum wiki software, affecting versions 5.0 through 5.1.2. The bug exists in the 'New Page' dialog where the filename parameter is not properly sanitized before being rendered. This allows an attacker to inject arbitrary JavaScript or HTML code through a malicious file name, which is then stored and executed when other users view the page.[1][3]

Exploitation

An attacker must have the ability to create new pages within the Gollum wiki, which typically requires authenticated access. However, if the wiki allows guest editing, the attack surface broadens. The payload is injected via the filename input when creating a new page; the malicious script becomes part of the stored page data and is executed in the context of any user who subsequently accesses that page, including administrators.[2][4]

Impact

Successful exploitation could lead to session hijacking, defacement of the wiki, or theft of sensitive information displayed to the victim. Since the XSS is stored, the impact persists until the malicious page is removed or sanitized. The vulnerability affects all users who view the crafted page, potentially compromising the entire wiki instance.

Mitigation

The issue was addressed in Gollum version 5.1.2, which includes commits that properly escape filenames in breadcrumb output to prevent XSS. Users are strongly advised to upgrade to the latest version. No workarounds are documented, but restricting page creation privileges to trusted users reduces the risk.[1][3]

References
  1. GitHub - gollum/gollum: A simple, Git-powered wiki with a local frontend and support for many kinds of markup and content.
  2. NVD - CVE-2020-35305
  3. Guard against malicious file names · gollum/gollum@137728c
  4. ruby-advisory-db/gems/gollum/CVE-2020-35305.yml at master · rubysec/ruby-advisory-db

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
gollumRubyGems
>= 5.0, < 5.1.25.1.2

Affected products

2
  • gollum/gollumdescription
  • ghsa-coords
    pkg:gem/gollum
    Range: >= 5.0, < 5.1.2

Patches

1
137728cdabc0

Guard against malicious file names

https://github.com/gollum/gollumDawa OmettoDec 1, 2020via ghsa
commit
5 files changed · +22 4
  • lib/gollum/views/overview.rb+2 2 modified
    @@ -25,9 +25,9 @@ def breadcrumb
             title = crumb.basename
 
             if title == path.basename
-              breadcrumb << %{<li class="breadcrumb-item" aria-current="page">#{title}</li>}
+              breadcrumb << %{<li class="breadcrumb-item" aria-current="page">#{CGI.escape(title.to_s)}</li>}
             else
-              breadcrumb << %{<li class="breadcrumb-item"><a href="#{overview_path}/#{crumb}/">#{title}</a></li>}
+              breadcrumb << %{<li class="breadcrumb-item"><a href="#{overview_path}/#{crumb}/">#{CGI.escape(title.to_s)}</a></li>}
             end
           end
           breadcrumb << %{</ol></nav>}
  • lib/gollum/views/page.rb+1 1 modified
    @@ -32,7 +32,7 @@ def breadcrumb
         path.descend do |crumb|
           element = "#{crumb.basename}"
           next if element == @page.title
-          breadcrumb << %{<li class="breadcrumb-item"><a href="#{overview_path}/#{crumb}/">#{element}</a></li>}
+          breadcrumb << %{<li class="breadcrumb-item"><a href="#{overview_path}/#{crumb}/">#{CGI.escape(element.to_s)}</a></li>}
         end
         breadcrumb << %{</ol></nav>}
         breadcrumb.join("\n")
  • README.md+1 1 modified
    @@ -6,7 +6,7 @@ gollum -- A git-based Wiki
 [![Open Source Helpers](https://www.codetriage.com/gollum/gollum/badges/users.svg)](https://www.codetriage.com/gollum/gollum)
 [![Cutting Edge Dependency Status](https://dometto-cuttingedge.herokuapp.com/github/gollum/gollum/svg 'Cutting Edge Dependency Status')](https://dometto-cuttingedge.herokuapp.com/github/gollum/gollum/info)
 
-**Please update to gollum 5.1.1 to counter a recent exploit in the kramdown rendering gem, [CVE-2020-14001](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14001)**
+**Please update to gollum 5.1.2 to counter a recent exploit. More info will follow after CVE is assigned.**
 
 **Gollum version 5.0 is out!** See [here](https://github.com/gollum/gollum/wiki/5.0-release-notes) for a list of changes and new features compared to Gollum version 4.x, and see some [Screenshots](https://github.com/gollum/gollum/wiki/Screenshots) of Gollum's features.
  • test/test_overview_view.rb+7 0 modified
    @@ -43,6 +43,13 @@ def escaped_url_path
     @page.instance_variable_set("@base_url", "")
     assert_equal "<nav aria-label=\"Breadcrumb\"><ol><li class=\"breadcrumb-item\"><a href=\"/gollum/overview\">Home</a></li>\n<li class=\"breadcrumb-item\"><a href=\"/gollum/overview/Mordor/\">Mordor</a></li>\n<li class=\"breadcrumb-item\"><a href=\"/gollum/overview/Mordor/Eye-Of-Sauron/\">Eye-Of-Sauron</a></li>\n<li class=\"breadcrumb-item\" aria-current=\"page\">Saruman</li>\n</ol></nav>", @page.breadcrumb
   end
+  
+  test 'guard against malicious filenames' do
+    malicious_title = '<img src=x onerror=alert(1) />'
+    @page.instance_variable_set("@path", malicious_title)
+    @page.instance_variable_set("@base_url", "")
+    assert @page.breadcrumb.include?(">%3Cimg+src%3Dx+onerror%3Dalert%281%29+</a>")
+  end
 
   test "breadcrumb with no path" do
     assert_equal 'Home', @page.breadcrumb
  • test/test_page_view.rb+11 0 modified
    @@ -12,6 +12,17 @@
   teardown do
     FileUtils.rm_rf(@path)
   end
+  
+  test 'guard against malicious filenames' do
+    malicious_title = '<img src=x onerror=alert(1) />'
+    @wiki.write_page(malicious_title, :markdown, 'Is Bilbo a hobbit? Why certainly!')
+    page = @wiki.page(malicious_title)
+    @view = Precious::Views::Page.new
+    @view.instance_variable_set :@page, page
+    @view.instance_variable_set :@content, page.formatted_data
+    @view.instance_variable_set :@h1_title, false
+    assert @view.breadcrumb.include?(">%3Cimg+src%3Dx+onerror%3Dalert%281%29+</a>")
+  end
 
   test "h1 title sanitizes correctly" do
     title = 'H1'

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.