3 matches found
CVE-2015-7580
Cross-site scripting XSS vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node...
CVE-2015-7580
The CVE-2015-7580 entry describes an XSS vulnerability in the rails-html-sanitizer gem prior to 1.0.3 used with Ruby on Rails 4.2.x and 5.x. The issue arises in lib/rails/html/scrubbers.rb where a crafted CDATA node can inject arbitrary script/HTML. Affected component: rails-html-sanitizer (Ruby ...
IP whitelist bypass in Web Console
Specially crafted remote requests can spoof their origin, bypassing the IP whitelist, in any environment where Web Console is enabled development and test, by default. Users whose application is only accessible from localhost as is the default behaviour in Rails 4.2 are not affected, unless a loc...