StimulusReflex 3.5.0 Arbitrary Code Execution

StimulusReflex CVE-2024-28121 Arbitrary code execution in StimulusReflex. This affects version 3.5.0 up to and including 3.5.0.rc2 and v3.5.0.pre10. Vulnerable code excerpt stimulusreflex/lib/stimulusreflex/reflex.rb Invoke the reflex action specified by name and run all callbacks def processname...

StimulusReflex 3.5.0 Arbitrary Code Execution Exploit

StimulusReflex versions 3.5.0 up to and including 3.5.0.rc2 and 3.5.0.pre10 suffer from an arbitrary code execution vulnerability. StimulusReflex CVE-2024-28121 Arbitrary code execution in StimulusReflex. This affects version 3.5.0 up to and including 3.5.0.rc2 and v3.5.0.pre10. Vulnerable code...

GHSA-F78J-4W3G-4Q65 StimulusReflex arbitrary method call

Summary More methods than expected can be called on reflex instances. Being able to call some of them has security implications. Details To invoke a reflex a websocket message of the following shape is sent: json "target": "classnamemethodname", "args": The server will proceed to instantiate refl...

StimulusReflex Security Vulnerability

StimulusReflex is a system that extends the functionality of Rails and Stimulus by intercepting user interactions and passing them to Rails via a live websocket. A security vulnerability exists in StimulusReflex 3.4.1 and earlier, 3.5.0.rc3 and earlier, which stems from a vulnerability that allow...