Rails Security Vulnerabilities and Issues — Rails CVE List

Lucene search

RubyonrailsRails

7 matches found

CVE•added 2024/02/27 4:15 p.m.•165 views

CVE-2024-26143

Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in "_html", a :default key which contains untrusted user input, and the...

6.1CVSS6AI score0.01493EPSS

CVE•added 2024/02/27 4:15 p.m.•142 views

CVE-2024-26144

Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain pr...

5.3CVSS5.2AI score0.02507EPSS

CVE•added 2024/02/27 4:15 p.m.•105 views

CVE-2024-26142

Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are u...

7.5CVSS7.4AI score0.02473EPSS

CVE•added 2024/06/04 8:15 p.m.•67 views

CVE-2024-28103

Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in 6.1.7.8, 7.0.8.2, and 7.1.3.3.

9.8CVSS6.8AI score0.00666EPSS

CVE•added 2024/10/16 8:15 p.m.•62 views

CVE-2024-47887

Action Pack is a framework for handling and responding to web requests. Starting in version 4.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. For applications using HTTP Token authentication ...

8.7CVSS6.8AI score0.00405EPSS

CVE•added 2024/10/16 9:15 p.m.•61 views

CVE-2024-47889

Action Mailer is a framework for designing email service layers. Starting in version 3.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the block_format helper in Action Mailer. Carefully crafted text can cause the block_format helper to t...

8.7CVSS6.5AI score0.00097EPSS

CVE•added 2024/06/04 8:15 p.m.•42 views

CVE-2024-32464

Action Text brings rich text content and editing to Rails. Instances of ActionText::Attachable::ContentAttachment included within a rich_text_area tag could potentially contain unsanitized HTML. This vulnerability is fixed in 7.1.3.4 and 7.2.0.beta2.

6.1CVSS5.9AI score0.00112EPSS