<p>Upgrade <code>cucumber</code> to version 4.0.0 or higher.</p>

HTML Injection Affecting cucumber package, versions <4.0.0

Snyk CVSS

Attack Complexity Low

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-RUBY-CUCUMBER-20442
published 9 Nov 2017
disclosed 21 Nov 2016
credit Alexey Bezhan

Report a new vulnerability Found a mistake?

Introduced: 21 Nov 2016

CWE-80 Open this link in a new tab

How to fix?

Upgrade cucumber to version 4.0.0 or higher.

Overview

Affected versions of this package are vulnerable to HTML Injection. The HTML formatter appends any scenario output to the HTML without escaping HTML tags in the messages. This way, any output from the steps gets injected into the report page. In the simple case, this won't display the message as expected. When combined with for example capybara and CI environments this opens up the possibility of an XSS attack from the user input on the environment being tested.

References

GitHub Commit