Lucene search

RubySecRUBY:RAILS_ADMIN-2020-36190

HistoryMar 13, 2020 - 9:00 p.m.

rails_admin ruby gem XSS vulnerability

2020-03-1321:00:00

RubySec

github.com

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

JSON

RailsAdmin (aka rails_admin) before 1.4.3 and 2.x before 2.0.2 allows
XSS via nested forms.

Affected configurations

Vulners

Node

rubyrails_adminRange1.4.0–1.4.3

rubyrails_adminRange≤2.0.2

VendorProductVersionCPE
rubyrails_admin*cpe:2.3:a:ruby:rails_admin:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ruby	rails_admin	*	cpe:2.3:a:ruby:rails_admin::::::::

References

github.com/sferik/rails_admin/commit/d72090ec6a07c3b9b7b48ab50f3d405f91ff4375

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

JSON

Related for RUBY:RAILS_ADMIN-2020-36190