CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedHat Linux•added 2021/04/21 1:15 p.m.•5 views

rubygem-actionview: CSRF vulnerability in rails-ujs

A flaw was found in rubygem-actionview. A regression of CVE-2015-1840 causes Rails-ujs to send CSRF tokens to wrong domains. The highest threat from this vulnerability is to data integrity...

6.5CVSS6.6AI score0.00427EPSS

Exploits1References5

OSV•added 2020/12/30 7:15 p.m.•0 views

UBUNTU-CVE-2020-26247

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the...

4.3CVSS6.7AI score0.00259EPSS

Exploits0References9

RedHat Linux•added 2020/10/27 12:58 p.m.•0 views

rubygem-secure_headers: limited header injection when using dynamic overrides with user input

A directive injection vulnerability was found in Secure Headers RubyGem before versions 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into the vulnerable function, a new line could be injected, leading to limited header injection, which could create a new Content Security Policy head...

5.8CVSS7.2AI score0.00347EPSS

Exploits1References5

RedHat Linux•added 2020/10/27 12:58 p.m.•2 views

rubygem-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser

A flaw was found in the websocket-extensions ruby module in versions prior to 0.1.5. The parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and another character. When abused by an...

7.5CVSS7.3AI score0.02622EPSS

Exploits1References5

CNVD•added 2020/08/06 12:0 a.m.•2 views

Chartkick Injection Vulnerability

Chartkick is a package for creating JavaScript icons. An injection vulnerability exists in Chartkick gem 3.3.2 and earlier versions Ruby. The vulnerability stems from a lack of proper validation of user input data by a networked system or product that does not filter, or does not correctly filter...

6.1CVSS9.4AI score0.0024EPSS

Exploits1References1

RubySec•added 2020/08/04 12:0 a.m.•18 views

CSRF Vulnerability with Non-Session Based Authentication

The PgHero dashboard is vulnerable to CSRF with non-session based authentication methods. Impact The PgHero dashboard is vulnerable to cross-site request forgery CSRF. This affects the Docker image, Linux packages, and in specific cases, the Ruby gem. The Ruby gem is vulnerable with non-session...

8.1CVSS2.8AI score0.00101EPSS

Exploits0References1Affected Software1

Github Security Blog•added 2020/05/28 9:10 p.m.•93 views

Cross-Site Scripting in Kaminari

Impact In Kaminari before 1.2.1, there is a vulnerability that would allow an attacker to inject arbitrary code into pages with pagination links. This has been fixed in 1.2.1. Releases The 1.2.1 gem including the patch has already been released. All past released versions are affected by this...

6.4CVSS2.3AI score0.00452EPSS

Exploits0References8Affected Software1

OSV•added 2020/05/22 3:15 p.m.•1 views

DEBIAN-CVE-2020-11077

In Puma RubyGem before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the firs...

7.5CVSS6.2AI score0.00821EPSS

Exploits0References1

Snyk•added 2020/04/17 12:0 a.m.•2 views

Malicious Package

Overview airbrakeapi is a malicious package. Affected versions of this package were found to be a Malicious Package, as it utilised typosquatting to run Malicious 3rd party scripts. It replaced genuine packages using an and replaced it with - and vice versa Remediation Avoid using airbrakeapi...

8CVSS5.8AI score

Snyk•added 2020/04/17 12:0 a.m.•2 views

Malicious Package

Overview litaonewheel-beer-wayfinder is a malicious package. Affected versions of this package were found to be a Malicious Package, as it utilised typosquatting to run Malicious 3rd party scripts. It replaced genuine packages using an and replaced it with - and vice versa Remediation Avoid using...

8CVSS5.8AI score

Malicious Package

Overview commonmarkerpluggable is a malicious package. Affected versions of this package were found to be a Malicious Package, as it utilised typosquatting to run Malicious 3rd party scripts. It replaced genuine packages using an and replaced it with - and vice versa Remediation Avoid using...

Snyk•added 2020/04/17 12:0 a.m.•2 views

Malicious Package

Overview active-modelserializerscancancan is a malicious package. Affected versions of this package were found to be a Malicious Package, as it utilised typosquatting to run Malicious 3rd party scripts. It replaced genuine packages using an and replaced it with - and vice versa Remediation Avoid...

Malicious Package

Overview anyvalidate is a malicious package. Affected versions of this package were found to be a Malicious Package, as it utilised typosquatting to run Malicious 3rd party scripts. It replaced genuine packages using an and replaced it with - and vice versa Remediation Avoid using anyvalidate...

Malicious Package

Overview airbrakestatsd is a malicious package. Affected versions of this package were found to be a Malicious Package, as it utilised typosquatting to run Malicious 3rd party scripts. It replaced genuine packages using an and replaced it with - and vice versa Remediation Avoid using airbrakestat...

Malicious Package

Overview emstatsd is a malicious package. Affected versions of this package were found to be a Malicious Package, as it utilised typosquatting to run Malicious 3rd party scripts. It replaced genuine packages using an and replaced it with - and vice versa Remediation Avoid using emstatsd altogethe...