Lucene search

GitHub Advisory DatabaseGHSA-9CHR-4FJH-5RGW

HistoryOct 27, 2022 - 12:00 p.m.

Cross-site Scripting in actionpack

2022-10-2712:00:27

CWE-79

CWE-707

GitHub Advisory Database

github.com

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

21.8%

JSON

actionpack from the Ruby on Rails project is vulnerable to Cross-site Scripting in the Route Error Page. This issue has been patched with this commit.

This vulnerability is disputed by the Rails security team. It requires that the developer is tricked into copy pasting a malicious javascript-containing string into a development-only error page accessible only via localhost.

Affected configurations

Vulners

Node

github_advisory_databaseactionpackRange≤7.0.4

CPENameOperatorVersion
actionpackle7.0.4

CPE	Name	Operator	Version
	actionpack	le	7.0.4

References

github.com/advisories/GHSA-9chr-4fjh-5rgw

github.com/rails/rails/commit/be177e4566747b73ff63fd5f529fab564e475ed4

github.com/rails/rails/issues/46244

github.com/rails/rails/issues/46244#issuecomment-1380875153

github.com/rails/rails/pull/46269

nvd.nist.gov/vuln/detail/CVE-2022-3704

vuldb.com/?id.212319