Lucene search
+L
RubygemsRecent

1254 matches found

RubySec
RubySec
added 2022/05/24 12:0 a.m.20 views

Katello cleartext password storage issue

A cleartext password storage issue was discovered in Katello, versions 3.x.x.x before katello 3.12.2. Registry credentials used during container image discovery were inadvertently logged without being masked. This flaw could expose the registry credentials to other privileged users...

4.1CVSS3.8AI score0.00647EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/24 12:0 a.m.24 views

Camaleon CMS Stored Cross-site Scripting vulnerability

In “Camaleon CMS” application, versions 0.0.1 through 2.6.0 are vulnerable to stored XSS, that allows unprivileged application users to store malicious scripts in the comments section of the post. These scripts are executed in a victim’s browser when they open the page containing the malicious...

6.1CVSS4.8AI score0.00782EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/24 12:0 a.m.23 views

Cross site scripting in publify

In Publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS. A user with a 'publisher' role is able to inject and execute arbitrary JavaScript code while creating a page/article...

5.4CVSS3.3AI score0.00578EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/24 12:0 a.m.55 views

Smashing Cross-site Scripting vulnerability

Smashing 1.3.4 is vulnerable to Cross Site Scripting XSS. A URL for a widget can be crafted and used to execute JavaScript on the victim's computer. The JavaScript code can then steal data available in the session/cookies depending on the user environment e.g. if re-using internal URL's for...

6.1CVSS1.9AI score0.00995EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/24 12:0 a.m.19 views

Cross site scripting in publify

Unrestricted file upload allowed the attacker to manipulate the request and bypass the protection of HTML files using a text file. Stored XSS may be obtained...

9.1CVSS0.7AI score0.00731EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2022/05/24 12:0 a.m.17 views

Cross site scripting in publify

In publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS as a result of an unrestricted file upload. This issue allows a user with 'publisher' role to inject malicious JavaScript via the uploaded html file...

5.4CVSS2AI score0.00578EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/24 12:0 a.m.24 views

omniauth-weibo-oauth2 included a code-execution backdoor inserted by a third-party

The omniauth-weibo-oauth2 gem 0.4.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Versions through 0.4.5, and 0.5.1 and later, are unaffected...

9.8CVSS4.3AI score0.02437EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/23 12:0 a.m.28 views

Improper Handling of Unexpected Data Type in Nokogiri

Summary Nokogiri = 1.13.6. JRuby users are not affected. Workarounds To avoid this vulnerability in affected applications, ensure the untrusted input is a String by calling tos or equivalent...

8.2CVSS2.8AI score0.03078EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2022/05/19 12:0 a.m.10 views

Insecure PRNG use in random_password_generator

The randompasswordgenerator aka RandomPasswordGenerator gem through 1.0.0 for Ruby uses Kernelrand to generate passwords, which, due to its cyclic nature, can facilitate password prediction...

7.5CVSS2.1AI score0.0182EPSS
Exploits1References1
RubySec
RubySec
added 2022/05/17 12:0 a.m.33 views

Katello uses hard coded credential

The installation script in Katello 1.0 and earlier does not properly generate the Application.config.secrettoken value, which causes each default installation to have the same secret token, and allows remote attackers to authenticate to the CloudForms System Engine web interface as an arbitrary...

9.8CVSS7.2AI score0.03002EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/17 12:0 a.m.16 views

openshift-origin-node Improper Input Validation vulnerability

Ruby gem openshift-origin-node before 2014-02-14 does not contain a cronjob timeout which could result in a denial of service in cron.daily and cron.weekly...

5.5CVSS6.8AI score0.00311EPSS
Exploits0References1
RubySec
RubySec
added 2022/05/17 12:0 a.m.24 views

ccsv Double Free vulnerability

The foreach function in ext/ccsv.c in Ccsv 1.1.0 allows remote attackers to cause a denial of service double free and application crash or possibly have unspecified other impact via a crafted file...

5.5CVSS6.3AI score0.01366EPSS
Exploits0References1
RubySec
RubySec
added 2022/05/17 12:0 a.m.15 views

Incorrect Authorization in publify

Improper Access Control in GitHub repository publify/publify prior to 9.2.8. Anonymous users can't view but can leave comments on an article in draft mode...

6.5CVSS4.4AI score0.00804EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2022/05/17 12:0 a.m.17 views

Article metadata exposure in publify

Leaking password protected articles content due to improper access control in GitHub repository publify/publify prior to 9.2.8. Attackers can leverage this vulnerability to view the contents of any password-protected article present on the publify website, compromising confidentiality and integri...

8.8CVSS4.4AI score0.01192EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2022/05/17 12:0 a.m.14 views

Code injection in publify

Code Injection in GitHub repository publify/publify prior to 9.2.8...

6.5CVSS7.6AI score0.00855EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2022/05/14 12:0 a.m.30 views

RubyGems Cross-site Scripting vulnerability

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting XSS vulnerability in gem server display of homepage attribute that can...

6.1CVSS1.3AI score0.02845EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/14 12:0 a.m.12 views

Elasticsearch Logstash allows remote attackers to execute arbitrary commands

Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in 1 zabbix.rb or 2 nagiosnsca.rb in outputs/...

7.5CVSS7.2AI score0.03297EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/14 12:0 a.m.21 views

RubyGems Path Traversal vulnerability

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem writing to...

5.5CVSS4.8AI score0.02876EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/14 12:0 a.m.47 views

Puppet Denial of Service and Arbitrary File Write

A vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise PE Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys to 1 cause a denial of service memory consumption via a REST request to a stream that triggers...

3.5CVSS6.5AI score0.02553EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/14 12:0 a.m.19 views

Puppet arbitrary file overwrite

Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to overwrite arbitrary files via a symlink attack on the .k5login file...

6.3CVSS7.1AI score0.00341EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/14 12:0 a.m.23 views

Puppet Arbitrary Command Execution

Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise PE Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys and file-creation permissions on the puppet master to execute arbitrary commands by creating a file whose full...

6CVSS7.6AI score0.02632EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/14 12:0 a.m.18 views

Puppet does not properly restrict access to node resources

Puppet 2.6.0 through 2.6.3 does not properly restrict access to node resources, which allows remote authenticated Puppet nodes to read or modify the resources of other nodes via unspecified vectors...

5.5CVSS6.9AI score0.01652EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/14 12:0 a.m.24 views

Katello SQL Injection vulnerabilities

Multiple SQL injection vulnerabilities in the scopedsearch function in app/controllers/katello/api/v2/apicontroller.rb in Katello allow remote authenticated users to execute arbitrary SQL commands via the 1 sortby or 2 sortorder parameter...

8.8CVSS6.5AI score0.01835EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/14 12:0 a.m.29 views

katello Cross-site Scripting vulnerability

A cross-site scripting XSS flaw was found in the katello component of Satellite. An attacker with privilege to create/edit organizations and locations is able to execute a XSS attacks against other users through the Subscriptions or the Red Hat Repositories wizards. This can possibly lead to...

5.4CVSS2.9AI score0.00999EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2022/05/14 12:0 a.m.26 views

RubyGems Improper Input Validation vulnerability

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability in ruby gems specification homepage attribute that can...

5.3CVSS2.9AI score0.03825EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/14 12:0 a.m.20 views

RubyGems Deserialization of Untrusted Data vulnerability

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code...

7.8CVSS4.4AI score0.02982EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/14 12:0 a.m.24 views

xapian-core Cross-site Scripting vulnerability

A cross-site scripting vulnerability in queryparser/termgeneratorinternal.cc in Xapian xapian-core before 1.4.6 exists due to incomplete HTML escaping by Xapian::MSet::snippet...

6.1CVSS1.2AI score0.01452EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/14 12:0 a.m.27 views

Ruby OpenSSL DoS Vulnerability

The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause a denial of service interpreter crash via a crafted string...

7.5CVSS6.5AI score0.07734EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/14 12:0 a.m.20 views

RubyGems Improper Verification of Cryptographic Signature vulnerability

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, and Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contain an Improper Verification of Cryptographic Signature vulnerability in package.rb. This can resu...

9.8CVSS2.7AI score0.03037EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/14 12:0 a.m.29 views

AlchemyCMS is vulnerable to stored XSS via the /admin/pictures image field

A stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS via the /admin/pictures image filename field...

6.1CVSS5.7AI score0.01691EPSS
Exploits2References1Affected Software1
RubySec
RubySec
added 2022/05/14 12:0 a.m.159 views

WEBrick RCE Vulnerability

The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name...

9.3CVSS8AI score0.16412EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/13 9:0 p.m.13 views

Elasticsearch Logstash allows remote attackers to execute arbitrary commands

Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in 1 zabbix.rb or 2 nagiosnsca.rb in outputs/...

7.5CVSS7.2AI score0.03297EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/13 12:0 a.m.38 views

smalruby and smalruby-editor vulnerable to OS Command Injection

smalruby-editor prior to 0.4.1 and smalruby prior to 0.1.11 allows remote attackers to execute arbitrary OS commands via unspecified vectors...

10CVSS8.1AI score0.06183EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/13 12:0 a.m.16 views

katello Improper Privilege Management vulnerability

A flaw was found in Foreman's katello plugin version 3.4.5. After setting a new role to allow restricted access on a repository with a filter filter set on the Product Name, the filter is not respected when the actions are done via hammer using the repository id...

4.3CVSS4.8AI score0.00938EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/13 12:0 a.m.28 views

katello SQL Injection vulnerability

A SQL injection flaw was found in katello's errata-related API. An authenticated remote attacker can craft input data to force a malformed SQL query to the backend database, which will leak internal IDs. This is issue is related to an incomplete fix for CVE-2016-3072. Version 3.10 and older is...

4.3CVSS4.4AI score0.01428EPSS
Exploits0References1
RubySec
RubySec
added 2022/05/13 12:0 a.m.17 views

Asciidoctor Infinite Loop vulnerability

Asciidoctor in versions 1.5.8 allows remote attackers to cause a denial of service infinite loop. The loop was caused by the fact that Parser.nextblock was not exhausting all the lines in the reader as the while loop expected it would. This was happening because the regular expression that detect...

7.5CVSS2.2AI score0.0225EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2022/05/13 12:0 a.m.15 views

hammer_cli_foreman Improper Certificate Validation vulnerability

Hammer CLI, a CLI utility for Foreman, before version 0.10.0, did not explicitly set the verifyssl flag for apipie-bindings that disable it by default. As a result the server certificates are not checked and connections are prone to man-in-the-middle attacks...

8.1CVSS3.1AI score0.00726EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/13 12:0 a.m.20 views

Gem in a Box vulnerable to Cross-site Request Forgery

geminabox aka Gem in a Box before 0.13.7 has CSRF, as demonstrated by an unintended gem upload...

8.8CVSS3.1AI score0.00496EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2022/05/13 12:0 a.m.14 views

smalruby and smalruby-editor vulnerable to OS Command Injection

smalruby-editor prior to 0.4.1 and smalruby prior to 0.1.11 allows remote attackers to execute arbitrary OS commands via unspecified vectors...

10CVSS8.1AI score0.06183EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/13 12:0 a.m.15 views

Fluentd Escape Sequence Injection Vulnerability

Escape sequence injection vulnerability in Fluentd versions 0.12.29 through 0.12.40 may allow an attacker to change the terminal UI or execute arbitrary commands on the device via unspecified vectors...

10CVSS6.8AI score0.04581EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/13 12:0 a.m.27 views

Tarball permission preservation in puppet

When installing a module using the system tar, the PMT will filter filesystem permissions to a sane value. This may just be based on the user's umask. When using minitar, files are unpacked with whatever permissions are in the tarball. This is potentially unsafe, as tarballs can be easily created...

5.5CVSS3AI score0.00363EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/13 12:0 a.m.25 views

Bootstrap vulnerable to Cross-Site Scripting (XSS)

In Bootstrap starting in version 2.3.0 and prior to 3.4.0, as well as 4.x before 4.1.2, XSS is possible in the collapse data-parent attribute...

6.1CVSS6.1AI score0.04135EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2022/05/13 12:0 a.m.37 views

Phusion Passenger information disclosure

In agent/Core/SpawningKit/Spawner.h in Phusion Passenger 5.1.10 fixed in Passenger Open Source 5.1.11 and Passenger Enterprise 5.1.10, if Passenger is running as root, it is possible to list the contents of arbitrary files on a system by symlinking a file named REVISION from the application root...

4.7CVSS2.2AI score0.00358EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/13 12:0 a.m.21 views

Phusion Passenger incorrect permission assignment

An issue was discovered in switchGroup in agent/ExecHelper/ExecHelperMain.cpp in Phusion Passenger before 5.3.2. The set of groups gidset is not set correctly, leaving it up to randomness i.e., uninitialized memory which supplementary groups are actually being set while lowering privileges...

5.3CVSS3.4AI score0.01198EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/13 12:0 a.m.42 views

Camaleon CMS vulnerable to Stored Cross-site Scripting

In the 2.4 version of Camaleon CMS, Stored XSS has been discovered. The profile image in the User settings section can be run in the update / upload area via /admin/media/upload?actions=false...

6.1CVSS2.8AI score0.01049EPSS
Exploits2References1
RubySec
RubySec
added 2022/05/13 12:0 a.m.18 views

RubyGems Infinite Loop vulnerability

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can...

7.5CVSS4AI score0.04809EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/13 12:0 a.m.22 views

RubyGems Link Following vulnerability

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in installlocation function of package.rb that can result in...

7.5CVSS3.7AI score0.05076EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/13 12:0 a.m.16 views

Gem in a Box vulnerable to Cross-site Scripting

geminabox aka Gem in a Box before 0.13.6 is vulnerable to Cross-site Scripting XSS, as demonstrated by uploading a gem file that has a crafted gem.homepage value in its .gemspec file...

5.4CVSS1.5AI score0.0068EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2022/05/13 12:0 a.m.17 views

mixlib-archive Path Traversal vulnerability

Chef Software's mixlib-archive versions 0.3.0 and older are vulnerable to a directory traversal attack allowing attackers to overwrite arbitrary files by using .. in tar archive entries...

7.5CVSS5.3AI score0.019EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2022/05/05 12:0 a.m.14 views

RubyGem openshift-origin-controller is vulnerable to command injection

'rubygem-openshift-origin-controller: API can be used to create applications via cartridgecache.rb URI.prase to perform command injection'...

9.8CVSS7AI score0.02498EPSS
Exploits1References1
Total number of security vulnerabilities1254