Lucene search
K

178 matches found

NVD
NVD
added 2020/01/28 1:15 a.m.33 views

CVE-2019-10770

All versions of io.ratpack:ratpack-core from 0.9.10 inclusive and before 1.7.6 are vulnerable to Cross-site Scripting XSS. This affects the development mode error handler when an exception message contains untrusted data. Note the production mode error handler is not vulnerable - so for this to b...

6.1CVSS6.1AI score0.00857EPSS
Exploits1References1
OSV
OSV
added 2020/01/28 1:15 a.m.4 views

CVE-2019-10770

All versions of io.ratpack:ratpack-core from 0.9.10 inclusive and before 1.7.6 are vulnerable to Cross-site Scripting XSS. This affects the development mode error handler when an exception message contains untrusted data. Note the production mode error handler is not vulnerable - so for this to b...

6.1CVSS6.3AI score
Exploits0References1
Prion
Prion
added 2020/01/28 1:15 a.m.21 views

Cross site scripting

All versions of io.ratpack:ratpack-core from 0.9.10 inclusive and before 1.7.6 are vulnerable to Cross-site Scripting XSS. This affects the development mode error handler when an exception message contains untrusted data. Note the production mode error handler is not vulnerable - so for this to b...

4.3CVSS6AI score0.00857EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2020/01/28 12:21 a.m.36 views

CVE-2019-10770

All versions of io.ratpack:ratpack-core from 0.9.10 inclusive and before 1.7.6 are vulnerable to Cross-site Scripting XSS. This affects the development mode error handler when an exception message contains untrusted data. Note the production mode error handler is not vulnerable - so for this to b...

6.1AI score0.00857EPSS
Exploits1References1
OSV
OSV
added 2020/01/27 7:28 p.m.12 views

GHSA-R2WF-Q3X4-HRV9 Default development error handler in Ratpack is vulnerable to HTML content injection (XSS)

Versions of Ratpack from 0.9.10 through 1.7.5 are vulnerable to CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' aka. XSS in the development error handler. An attacker can utilize this to perform XSS when an exception message contains untrusted data. As a...

6.1CVSS6.2AI score0.00857EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2020/01/27 7:28 p.m.100 views

Default development error handler in Ratpack is vulnerable to HTML content injection (XSS)

Versions of Ratpack from 0.9.10 through 1.7.5 are vulnerable to CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' aka. XSS in the development error handler. An attacker can utilize this to perform XSS when an exception message contains untrusted data. As a...

6.1CVSS1.4AI score0.00857EPSS
Exploits1References5Affected Software1
Snyk
Snyk
added 2019/11/19 12:2 p.m.2 views

Cross-site Scripting (XSS)

Overview io.ratpack:ratpack-core is a simple, capable, toolkit for creating high performance web applications. Affected versions of this package are vulnerable to Cross-site Scripting XSS. This affects the development mode error handler when an exception message contains untrusted data. Note the...

6.3CVSS5.3AI score0.00857EPSS
Exploits1References2
Metasploit
Metasploit
added 2019/04/25 7:30 p.m.40 views

Ruby On Rails DoubleTap Development Mode secret_key_base Vulnerability

This module exploits a vulnerability in Ruby on Rails. In development mode, a Rails application would use its name as the secretkeybase, and can be easily extracted by visiting an invalid resource for a path. As a result, this allows a remote user to create and deliver a signed serialized payload...

9.8CVSS9.4AI score0.92144EPSS
Exploits13
Hacker One
Hacker One
added 2019/03/28 8:35 p.m.49 views

Mail.ru: Rails application running in development mode

autodiscover.staging.geekbrains.ru was running Ruby on Rails in development mode...

1.8AI score
Exploits0
OSV
OSV
added 2019/03/27 2:29 p.m.4 views

DEBIAN-CVE-2019-5420

A remote code execution vulnerability in development mode Rails 5.2.2.1, 6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit...

9.8CVSS8.2AI score0.92144EPSS
Exploits13References1
NVD
NVD
added 2019/03/27 2:29 p.m.21 views

CVE-2019-5420

A remote code execution vulnerability in development mode Rails 5.2.2.1, 6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit...

9.8CVSS9.8AI score0.92144EPSS
Exploits13References5
OSV
OSV
added 2019/03/27 2:29 p.m.24 views

CVE-2019-5420

A remote code execution vulnerability in development mode Rails 5.2.2.1, 6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit...

9.8CVSS7.6AI score
Exploits0References5
Prion
Prion
added 2019/03/27 2:29 p.m.22 views

Remote code execution

A remote code execution vulnerability in development mode Rails 5.2.2.1, 6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit...

7.5CVSS9.6AI score0.92144EPSS
Exploits13References5Affected Software3
Cvelist
Cvelist
added 2019/03/27 1:48 p.m.34 views

CVE-2019-5420

A remote code execution vulnerability in development mode Rails 5.2.2.1, 6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit...

9.7AI score0.92144EPSS
Exploits13References5
CVE
CVE
added 2019/03/27 1:48 p.m.310 views

CVE-2019-5420

CVE-2019-5420 affects Ruby on Rails in development mode where the secret token used to secure sessions is guessable, enabling potential RCE via Rails internals. Connected exploits demonstrate deserialization/RCE vectors dependent on a guessed development secret base. Vulnerable condition: running...

9.8CVSS9.5AI score0.92144EPSS
Exploits13References5Affected Software1
Debian CVE
Debian CVE
added 2019/03/27 1:48 p.m.26 views

CVE-2019-5420

A remote code execution vulnerability in development mode Rails 5.2.2.1, 6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit...

9.8CVSS9AI score0.92144EPSS
Exploits13
ATTACKERKB
ATTACKERKB
added 2019/03/27 12:0 a.m.32 views

Ruby on Rails DoubleTap Development Mode secret_key_base Vulnerability

Ruby on Rails versions including 5.2.2.1 and prior are vulnerable to a predicatble secretkeybase in development mode, which could be used to recreated a signed message, such as a serialized object, and gain remote code execution. Recent assessments: wchen-r7 at September 12, 2019 6:07pm UTC...

9.8CVSS9.5AI score0.92144EPSS
Exploits13References5
RedhatCVE
RedhatCVE
added 2019/03/15 10:49 a.m.62 views

CVE-2019-5420

A remote code execution vulnerability in development mode Rails 5.2.2.1, 6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit...

9.8CVSS4.1AI score0.92144EPSS
Exploits13References4
Veracode
Veracode
added 2019/03/14 2:16 a.m.35 views

Remote Code Execution (RCE)

railties is vulnerable to remote code execution. A remote attacker is able to guess the automatically generated secret token when Rails is in development mode. This token can subsequently be used in combination with other Rails internals to execute arbitrary code...

9.8CVSS9.7AI score0.92144EPSS
Exploits13References8Affected Software2
OSV
OSV
added 2019/03/13 5:28 p.m.42 views

GHSA-M42H-MH85-4QGC Use of Insufficiently Random Values in Railties Allows Remote Code Execution

Possible Remote Code Execution Exploit in Rails Development Mode Impact ------ With some knowledge of a target application it is possible for an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to...

9.8CVSS9.9AI score0.92144EPSS
Exploits13References7
Rows per page
Query Builder