Cross-Site Scripting in Kaminari

GHSA-r5jw-62xg-j433 · CVE-2020-11082

Published May 28, 2020 · Modified Mar 13, 2026

Description

Impact

In Kaminari before 1.2.1, there is a vulnerability that would allow an attacker to inject arbitrary code into pages with pagination links. This has been fixed in 1.2.1.

Releases

The 1.2.1 gem including the patch has already been released.
All past released versions are affected by this vulnerability.

Workarounds

Application developers who can't update the gem can workaround by overriding the PARAM_KEY_EXCEPT_LIST constant.

module Kaminari::Helpers
  PARAM_KEY_EXCEPT_LIST = [:authenticity_token, :commit, :utf8, :_method, :script_name, :original_script_name].freeze
end

Credits

Thanks to Daniel Mircea for finding the issue and sending a patch via GitHub. Also thanks to Aditya Prakash for reporting the vulnerability.

References

WEB https://github.com/kaminari/kaminari/security/advisories/GHSA-r5jw-62xg-j433
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2020-11082
WEB https://github.com/github/advisory-review/pull/1020
WEB https://github.com/kaminari/kaminari/commit/8dd52a1aed3d2fa2835d836de23fc0d8c4ff5db8
PACKAGE https://github.com/kaminari/kaminari
WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/kaminari/CVE-2020-11082.yml
WEB https://lists.debian.org/debian-lts-announce/2021/09/msg00011.html
WEB https://www.debian.org/security/2021/dsa-5005

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes