GitHub_MCVELIST:CVE-2024-26143CVE-2024-26143 Rails Possible XSS Vulnerability in Action Controller
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.0004 Low
EPSS
Percentile
10.5%
Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in “_html”, a :default key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. The vulnerability is fixed in 7.1.3.1 and 7.0.8.1.
CNA Affected
[
{
"vendor": "rails",
"product": "rails",
"versions": [
{
"version": ">= 7.0.0, < 7.0.8.1",
"status": "affected"
},
{
"version": ">= 7.1.0, < 7.1.3.1",
"status": "affected"
}
]
}
]References
discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947
github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc
github.com/rails/rails/commit/5187a9ef51980ad1b8e81945ebe0462d28f84f9e
github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4
github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26143.yml
security.netapp.com/advisory/ntap-20240510-0004/
Related
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.0004 Low
EPSS
Percentile
10.5%