Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:7895
HistoryNov 28, 2018 - 2:22 a.m.

Cross-Site Scripting (XSS)

2018-11-2802:22:01
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
5

0.001 Low

EPSS

Percentile

35.6%

activestorage is vulnerable to cross-site scripting. Signed download URLs that are generated for Google Cloud Storage include content-disposition and content-type parameters which can be modified on the client-side. This allows an attacker to upload specially crafted HTML files and inject arbitrary HTML/Javascript into a victim’s browser by tricking them into clicking a crafted URL, performing unwanted actions on behalf of the user.

CPENameOperatorVersion
activestoragele5.2.1