20 matches found
Cross Site Scripting
Active Support is vulnerable to Cross Site Scripting. The vulnerability is due to SafeBuffer% not propagating the @htmlunsafe flag to the newly created buffer, where a SafeBuffer is mutated in place and then formatted with % using untrusted arguments, and the result incorrectly reports htmlsafe? ...
SUSE CVE-2026-33170
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, SafeBuffer% does not propagate the @htmlunsafe flag to the newly created buffer. If a SafeBuffer is mutated in place e.g. via gsub! and th...
CVE-2026-33170
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, SafeBuffer% does not propagate the @htmlunsafe flag to the newly created buffer. If a SafeBuffer is mutated in place e.g. via gsub! and th...
DEBIAN-CVE-2026-33170
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, SafeBuffer% does not propagate the @htmlunsafe flag to the newly created buffer. If a SafeBuffer is mutated in place e.g. via gsub! and th...
UBUNTU-CVE-2026-33170
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, SafeBuffer% does not propagate the @htmlunsafe flag to the newly created buffer. If a SafeBuffer is mutated in place e.g. via gsub! and th...
CVE-2026-33170
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, SafeBuffer% does not propagate the @htmlunsafe flag to the newly created buffer. If a SafeBuffer is mutated in place e.g. via gsub! and th...
CVE-2026-33170 Rails Active Support has a possible XSS vulnerability in SafeBuffer#%
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, SafeBuffer% does not propagate the @htmlunsafe flag to the newly created buffer. If a SafeBuffer is mutated in place e.g. via gsub! and th...
CVE-2026-33170
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, SafeBuffer% does not propagate the @htmlunsafe flag to the newly created buffer. If a SafeBuffer is mutated in place e.g. via gsub! and th...
Rails Active Support has a possible XSS vulnerability in SafeBuffer#%
Impact SafeBuffer% does not propagate the @htmlunsafe flag to the newly created buffer. If a SafeBuffer is mutated in place e.g. via gsub! and then formatted with % using untrusted arguments, the result incorrectly reports htmlsafe? == true, bypassing ERB auto-escaping and possibly leading to XSS...
PT-2026-27257
Name of the Vulnerable Software and Affected Versions Active Support versions prior to 8.1.2.1 Active Support versions prior to 8.0.4.1 Active Support versions prior to 7.2.3.1 Description The SafeBuffer% function does not correctly propagate the @html unsafe flag to newly created buffers. If a...
Rails 跨站脚本漏洞
Rails is an open-source web application framework based on the Ruby language, developed by the Rails team in the United States. Versions of Rails Active Support prior to 8.1.2.1, 8.0.4.1, and 7.2.3.1 contained a cross-site scripting vulnerability. This vulnerability stemmed from the lack of...
Rails Active Support has a possible XSS vulnerability in SafeBuffer#%
Impact SafeBuffer% does not propagate the @htmlunsafe flag to the newly created buffer. If a SafeBuffer is mutated in place e.g. via gsub! and then formatted with % using untrusted arguments, the result incorrectly reports htmlsafe? == true, bypassing ERB auto-escaping and possibly leading to XSS...
EUVD-2020-0979
Malware in sbrugna...
rubygem-activeview: Cross-site scripting in translation helpers
A flaw was found in rubygem-actionview in versions prior to 5.2.4.4 and 6.0.3.3. When an HTML-unsafe string is passed as the default for a missing translation key, the default string is incorrectly marked as HTML-safe and not escaped. Thie highest threat from this vulnerability is to data...
Cross site scripting
In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting XSS vulnerability in Action View's translation helpers. Views that allow the user to control the default not found value of the t and translate helpers could be susceptible to XSS attacks. When an...
CVE-2020-15169 XSS in Action View
In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting XSS vulnerability in Action View's translation helpers. Views that allow the user to control the default not found value of the t and translate helpers could be susceptible to XSS attacks. When an...
GHSA-CFJV-5498-MPH5 XSS in Action View
There is a potential Cross-Site Scripting XSS vulnerability in Action View's translation helpers. Views that allow the user to control the default not found value of the t and translate helpers could be susceptible to XSS attacks. Impact When an HTML-unsafe string is passed as the default for a...
Cross-site Scripting
In Action View there is a potential Cross-Site Scripting XSS vulnerability in Action View's translation helpers. Views that allow the user to control the default not found value of the t and translate helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default...
CVE-2020-15169
A flaw was found in rubygem-actionview in versions prior to 5.2.4.4 and 6.0.3.3. When an HTML-unsafe string is passed as the default for a missing translation key, the default string is incorrectly marked as HTML-safe and not escaped. Thie highest threat from this vulnerability is to data...
Potential XSS vulnerability in Action View
There is a potential Cross-Site Scripting XSS vulnerability in Action View's translation helpers. Views that allow the user to control the default not found value of the t and translate helpers could be susceptible to XSS attacks. Impact ------ When an HTML-unsafe string is passed as the default...