Lucene search

GoogleOSV:CVE-2023-30614

HistoryApr 19, 2023 - 6:15 p.m.

CVE-2023-30614

2023-04-1918:15:07

Google

osv.dev

pay

ruby on rails

cross-site scripting

vulnerability

patched

upgrade

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

0.001 Low

EPSS

Percentile

32.5%

JSON

Pay is a payments engine for Ruby on Rails 6.0 and higher. In versions prior to 6.3.2 a payments info page of Pay is susceptible to reflected Cross-site scripting. An attacker could create a working URL that renders a javascript link to a user on a Rails application that integrates Pay. This URL could be distributed via email to specifically target certain individuals. If the targeted application contains a functionality to submit user-generated content (such as comments) the attacker could even distribute the URL using that functionality. This has been patched in version 6.3.2 and above. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CPENameOperatorVersion
payeq1.0.0.beta4
payeq3.0.10
payeq6.1.0
payeq5.0.3
payeq6.1.1
payeq3.0.5
payeq3.0.2
payeq2.6.4
payeq3.0.13
payeq1.0.0.alpha2

Name	Operator	Version
pay	eq	1.0.0.beta4
pay	eq	3.0.10
pay	eq	6.1.0
pay	eq	5.0.3
pay	eq	6.1.1
pay	eq	3.0.5
pay	eq	3.0.2
pay	eq	2.6.4
pay	eq	3.0.13
pay	eq	1.0.0.alpha2

Rows per page:

1-10 of 961

References

github.com/pay-rails/pay/commit/5d6283a24062bd272a524ec48415f536a67ad57f

github.com/pay-rails/pay/security/advisories/GHSA-cqf3-vpx7-rxhw