{"id":"CVE-2017-1002201","details":"In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like \u003c \u003e \" ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code.","aliases":["GHSA-r53w-g4xm-3gc6"],"modified":"2026-04-11T12:03:38.385836Z","published":"2019-10-15T18:15:10.560Z","related":["SNYK-RUBY-HAML-20362","SUSE-SU-2019:2932-1","SUSE-SU-2019:3270-1","SUSE-SU-2020:0640-1"],"database_specific":{"unresolved_ranges":[{"cpe":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"8.0"}]},{"cpe":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"9.0"}]}]},"references":[{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/11/msg00007.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/12/msg00028.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202007-27"},{"type":"FIX","url":"https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2"},{"type":"FIX","url":"https://snyk.io/vuln/SNYK-RUBY-HAML-20362"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/haml/haml","events":[{"introduced":"0"},{"fixed":"78e2a09d3b8c6f7cdb3bb87ff84dce8fad5598ac"},{"fixed":"18576ae6e9bdcb4303fdbe6b3199869d289d67c2"}],"database_specific":{"cpe":"cpe:2.3:a:haml:haml:*:*:*:*:*:ruby:*:*","source":["CPE_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"5.0.0"}]}}],"versions":["2.0.0","2.2.0","3.0.0","3.0.0.beta.1","3.0.0.beta.2","3.0.0.beta.3","3.0.0.rc.1","3.0.0.rc.2","3.0.0.rc.3","3.0.0.rc.4","3.0.0.rc.5","3.1.0","3.1.1","3.1.2","3.1.3","3.2.0.beta.1","3.2.0.beta.2","4.1.0.beta.1","v5.0.0.beta.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-1002201.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}