activestorage is vulnerable to cross-site scripting. Signed download URLs that are generated for Google Cloud Storage include content-disposition
and content-type
parameters which can be modified on the client-side. This allows an attacker to upload specially crafted HTML files and inject arbitrary HTML/Javascript into a victim’s browser by tricking them into clicking a crafted URL, performing unwanted actions on behalf of the user.
CPE | Name | Operator | Version |
---|---|---|---|
activestorage | le | 5.2.1 |
github.com/rails/rails/commit/54ed6ad8d7468dc3a0b690e629c7c18497552eb8
github.com/rubysec/ruby-advisory-db/pull/371/commits/4dce15fff07df6616ef035427f6178cb536ada59
groups.google.com/d/msg/rubyonrails-security/3KQRnXDIuLg/mByx5KkqBAAJ
weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/