4 matches found
StimulusReflex 3.5.0 Arbitrary Code Execution Exploit
StimulusReflex versions 3.5.0 up to and including 3.5.0.rc2 and 3.5.0.pre10 suffer from an arbitrary code execution vulnerability. StimulusReflex CVE-2024-28121 Arbitrary code execution in StimulusReflex. This affects version 3.5.0 up to and including 3.5.0.rc2 and v3.5.0.pre10. Vulnerable code...
StimulusReflex 3.5.0 Arbitrary Code Execution
StimulusReflex CVE-2024-28121 Arbitrary code execution in StimulusReflex. This affects version 3.5.0 up to and including 3.5.0.rc2 and v3.5.0.pre10. Vulnerable code excerpt stimulusreflex/lib/stimulusreflex/reflex.rb Invoke the reflex action specified by name and run all callbacks def processname...
GHSA-F78J-4W3G-4Q65 StimulusReflex arbitrary method call
Summary More methods than expected can be called on reflex instances. Being able to call some of them has security implications. Details To invoke a reflex a websocket message of the following shape is sent: json "target": "classnamemethodname", "args": The server will proceed to instantiate refl...
StimulusReflex Security Vulnerability
StimulusReflex is a system that extends the functionality of Rails and Stimulus by intercepting user interactions and passing them to Rails via a live websocket. A security vulnerability exists in StimulusReflex 3.4.1 and earlier, 3.5.0.rc3 and earlier, which stems from a vulnerability that allow...