A flaw was found in cucumber HTML formatter. It appends any scenario output to the HTML without escaping HTML tags in the messages. This means that any output from the steps gets injected into the report page and could lead to cross-site scripting attacks.
Created rubygem-cucumber tracking bugs for this issue: Affects: epel-7 [bug 1516548] Affects: fedora-all [bug 1516547]
Patch: https://github.com/cucumber/cucumber-ruby/commit/a6ddc2c03a813c1f13559951ef546875c3cda4bb
Statement: Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Note that cucumber is usually used solely for writing tests[1] and not for rendering any production website code (or similar). [1] https://github.com/cucumber/cucumber-ruby#cucumber