Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

RubyGems - HackerOne Reports

View on HackerOne

28

Total Reports

2

Critical

4

High

7

Medium

7

Low

Cross-Domain JavaScript Source File Inclusion

Reported by: mrunal | Disclosed:

Low

Weakness: Cross-site Scripting (XSS) - Generic

Installing a crafted gem package may create or overwrite files

Reported by: mame | Disclosed:

High

Weakness: Path Traversal

Bounty: $1000.00

No limit of summary length allows Denail of Service

Reported by: mame | Disclosed:

High

Weakness: Uncontrolled Resource Consumption

Invalid username updating

Reported by: jackb898 | Disclosed:

Host Header Injection/Redirection

Reported by: rootnp | Disclosed:

Weakness: Violation of Secure Design Principles

RCE,SQL,Vulnerability + Exploit Method.

Reported by: exploit_in | Disclosed:

Weakness: Command Injection - Generic

Dependency repository hijacking aka Repo Jacking from GitHub repo rubygems/bundler-site & rubygems/bundler.github.io + bundler.io docs

Reported by: akincibor | Disclosed:

Medium

Weakness: Open Redirect

Escape sequence injection in "summary" field

Reported by: mame | Disclosed:

Low

Weakness: Command Injection - Generic

Bounty: $500.00

Login credentials transmitted in cleartext on index.rubygems.org

Reported by: eterm | Disclosed:

Weakness: Violation of Secure Design Principles

Password Reset emails missing TLS leads account takeover

Reported by: c0rte | Disclosed:

Weakness: Improper Authentication - Generic

Host Header Attac

Reported by: n_ob_o_dy | Disclosed:

Medium

Remote code execution on rubygems.org

Reported by: max | Disclosed:

Critical

Weakness: Deserialization of Untrusted Data

Bounty: $1500.00

Host header Injection rubygems.org

Reported by: bugs3ra | Disclosed:

Low

Weakness: Open Redirect

DNS SRV lookup of file:// sources enables local hijacking of gems

Reported by: plover | Disclosed:

High

Weakness: Path Traversal

Possibility to guess email address from gravatar image URL

Reported by: ooooooo_q | Disclosed:

Low

Weakness: Inadequate Encryption Strength

65534 times efficient, Brute-force attack for api_key

Reported by: ooooooo_q | Disclosed:

Low

Unpacker improperly validates symlinks, allowing gems writes to arbitrary locations

Reported by: nmalkin | Disclosed:

Medium

Weakness: Path Traversal

Installer can modify other gems if gem name is specially crafted

Reported by: nmalkin | Disclosed:

Medium

Weakness: Path Traversal

Bundler's RCE with response using Marshal

Reported by: ooooooo_q | Disclosed:

Weakness: Deserialization of Untrusted Data

Malware in `active-support` gem

Reported by: reed | Disclosed:

Critical

Weakness: Command Injection - Generic

Page 1 of 2 Next