Cross site scripting

Avo is a framework to create admin panels for Ruby on Rails apps. A stored cross-site scripting XSS vulnerability was found in the keyvalue field of Avo v3.2.3 and v2.46.0. This vulnerability could allow an attacker to execute arbitrary JavaScript code in the victim's browser. The value of the...

Cross site scripting

Avo is a framework to create admin panels for Ruby on Rails apps. In Avo 3 pre12, any HTML inside text that is passed to error or succeed in an Avo::BaseAction subclass will be rendered directly without sanitization in the toast/notification that appears in the UI on Action completion. A maliciou...

CVE-2024-22411

Consolidated finding: CVE-2024-22411 affects the Avo framework for Ruby on Rails. In Avo 3 pre12, HTML content inside text passed to error or succeed in an Avo::BaseAction is rendered un Sanitized in the UI toast/notification, enabling cross-site scripting (XSS). The issue can impact users of Avo...

CVE-2024-22411 Cross site scripting in Action messages on Avo

Avo is a framework to create admin panels for Ruby on Rails apps. In Avo 3 pre12, any HTML inside text that is passed to error or succeed in an Avo::BaseAction subclass will be rendered directly without sanitization in the toast/notification that appears in the UI on Action completion. A maliciou...

CVE-2024-22191 Stored cross-site scripting (XSS) in `key_value` field in Avo

Avo is a framework to create admin panels for Ruby on Rails apps. A stored cross-site scripting XSS vulnerability was found in the keyvalue field of Avo v3.2.3 and v2.46.0. This vulnerability could allow an attacker to execute arbitrary JavaScript code in the victim's browser. The value of the...

CVE-2024-22191 Stored cross-site scripting (XSS) in `key_value` field in Avo

Avo is a framework to create admin panels for Ruby on Rails apps. A stored cross-site scripting XSS vulnerability was found in the keyvalue field of Avo v3.2.3 and v2.46.0. This vulnerability could allow an attacker to execute arbitrary JavaScript code in the victim's browser. The value of the...

CVE-2024-22191

CVE-2024-22191 describes a stored XSS flaw in Avo’s key_value field for Rails admin panels. Affected: Avo v3.2.3 and v2.46.0 (reports also cite related builds); the payload is injected into HTML without proper sanitization, enabling arbitrary JavaScript execution in victims’ browsers. Impact stat...

EulerOS 2.0 SP11 : grpc (EulerOS-SA-2023-3271)

According to the versions of the grpc package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms ex. Linux allows an attacker to cause...

EulerOS 2.0 SP10 : ruby (EulerOS-SA-2023-2824)

According to the versions of the ruby packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters...

EulerOS 2.0 SP11 : ruby (EulerOS-SA-2023-2708)

According to the versions of the ruby packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific...

Debian dsa-5599 : php-seclib - security update

The remote Debian 11 / 12 host has a package installed that is affected by a vulnerability as referenced in the dsa-5599 advisory. - The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such...

EulerOS 2.0 SP11 : ruby (EulerOS-SA-2023-2666)

According to the versions of the ruby packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific...

EulerOS 2.0 SP11 : ruby (EulerOS-SA-2023-2868)

According to the versions of the ruby packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters...

EulerOS 2.0 SP10 : ruby (EulerOS-SA-2023-2800)

According to the versions of the ruby packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters...

EulerOS 2.0 SP11 : ruby (EulerOS-SA-2023-2851)

According to the versions of the ruby packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters...

CVE-2024-21654

CVE-2024-21654 affects Rubygems.org, the Ruby package hosting service. A flaw in the forgotten-password flow allows bypassing MFA, enabling account takeover. Root cause: a workaround in the password-reset form. Impact: high (CVE details indicate potential total compromise of an affected account)....

The vulnerability of the Ruby programming language components rfc2396 parser.rb and rfc3986 parser.rb allows a hacker to cause a service failure.

The vulnerability of the Ruby programming language components rfc2396 Parser.rb and rfc3986 Parser.rb is related to the incorrect handling of invalid URL addresses. Exploiting this vulnerability allows a remote attacker to cause service interruptions...

SUSE-SU-2024:0076-1 Security update for hawk2

This update for hawk2 fixes the following issues: - Fixed HttpOnly secure flag by default bsc1216508. - Fixed CSRF in errorscontroller.rb protection bsc1216571. Update to version 2.6.4+git.1702030539.5fb7d91b: - Fix mime type issue in MS windows bsc1215438 - Parametrize CORS...

RedCloth: ReDoS Vulnerability

Background RedCloth is a module for using Textile in Ruby Description A vulnerability has been discovered in RedCloth. Please review the CVE identifier referenced below for details. Impact RedCloth is vulnerable to a regular expression denial of service "ReDoS" attack via the sanitizehtml functio...

Ruby on Rails: DoS with crafted "Range" header

The vulnerability was discovered in the Active Storage component of Ruby on Rails. The vulnerability allowed an attacker to craft a "Range" header that could lead to a Denial of Service DoS attack. The attack was possible due to the lack of validation on overlapping ranges in the...