6 matches found
CVE-2023-49090
CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. CarrierWave has a Content-Type allowlist bypass vulnerability, possibly leading to XSS. The validation in allowlistedcontenttype? determines Content-Type permissions by performing a partial match. If the...
Ubuntu: Security Advisory (USN-7497-1)
The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to the improper handling of Content-Type headers when uploading to object storage, including Amazon S3. An attacker can bypass the contenttypeallowlist by providing multiple Content-Type values separated by...
CVE-2023-49090
creationtimestamp| type| source ---|---|--- 2023-12-20 11:12:32+00:00| seen| https://t.me/ctinow/156873...
CVE-2023-49090
CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. CarrierWave has a Content-Type allowlist bypass vulnerability, possibly leading to XSS. The validation in allowlistedcontenttype? determines Content-Type permissions by performing a partial match. If the...
CVE-2023-49090
CarrierWave (Ruby/Rails file-upload library) contains a Content-Type allowlist bypass vulnerability (CVE-2023-49090). The issue arises because allowlisted_content_type? validates Content-Type via partial matching, enabling an attacker to craft content_type values that bypasses the allowlist, pote...