Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM51723B7FE30A65E8B4F88D0CF4E59DB7FEA759D4D16619E574EB761D34523300
HistorySep 22, 2023 - 8:32 a.m.

Security Bulletin: A vulnerability in Ruby on Rails affects IBM License Metric Tool v9 (CVE-2023-28362) and could allow cross-site scripting.

2023-09-2208:32:45
www.ibm.com
15
ruby on rails
ibm license metric tool
vulnerability
cross-site scripting
remote attacker
security fix
ilmt server
upgrade

0 Low

EPSS

Percentile

0.0%

JSON

Summary

There is a vulnerability in the Ruby On Rails opens source component used by IBM License Metric Tool. The vulnerability could allow a remote attacker to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site. This bulletin identifies the security fixes to apply to address the vulnerability.

Vulnerability Details

CVEID:CVE-2023-28362
**DESCRIPTION:**Ruby on Rails is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the redirect_to method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/259190 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM License Metric Tool All

Remediation/Fixes

Upgrade ILMT Server to version 9.2.33 or later using the following procedure:
<https://www.ibm.com/docs/en/license-metric-tool?topic=tool-upgrading-latest-version&gt;.

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmlicense_metric_toolMatch9.2
CPENameOperatorVersion
ibm license metric tooleq9.2

Related

hackerone 1
nessus 2
redhatcve 1
github 1
openvas 1
veracode 1
osv 1
ubuntucve 1
debiancve 1
cve 1
rubygems 1
redhat 1
ibm 1
hackerone
hackerone
Ruby on Rails: Incorrect handling of certain characters passed to the redirection functionality in Rails can lead to a single-click XSS vulnerability.
2023-04-20 01:32:01
nessus
nessus
SUSE SLES15 / openSUSE 15 Security Update : rubygem-actionpack-5_1 (SUSE-SU-2023:3229-1)
2023-08-09 00:00:00
RHEL 8 : Satellite 6.14.1 Async Security Update (Moderate) (RHSA-2023:7851)
2024-04-28 00:00:00
redhatcve
redhatcve
CVE-2023-28362
2023-07-13 16:35:45
github
github
Actionpack has possible cross-site scripting vulnerability via User Supplied Values to redirect_to
2023-06-29 15:03:16
openvas
openvas
openSUSE: Security Advisory for rubygem (SUSE-SU-2023:3229-1)
2024-03-04 00:00:00
veracode
veracode
Cross-site Scripting (XSS)
2023-07-03 09:16:23
osv
osv
Actionpack has possible cross-site scripting vulnerability via User Supplied Values to redirect_to
2023-06-29 15:03:16
ubuntucve
ubuntucve
CVE-2023-28362
2023-07-17 00:00:00
debiancve
debiancve
CVE-2023-28362
2023-07-14 16:32:27
cve
cve
CVE-2023-28362
2023-07-14 16:32:27
rubygems
rubygems
Possible XSS via User Supplied Values to redirect_to
2023-06-25 21:00:00
redhat
redhat
(RHSA-2023:7851) Moderate: Satellite 6.14.1 Async Security Update
2023-12-14 16:20:36
ibm
ibm
Security Bulletin: Multiple Vulnerabilities in CloudPak for Watson AIOps
2023-07-27 09:18:06

0 Low

EPSS

Percentile

0.0%

JSON
Related for 51723B7FE30A65E8B4F88D0CF4E59DB7FEA759D4D16619E574EB761D34523300
hackerone1nessus2redhatcve1github1openvas1veracode1osv1ubuntucve1debiancve1cve1rubygems1redhat1ibm1