GitHub_MVULNRICHMENT:CVE-2024-39308CVE-2024-39308 RailsAdmin Cross-site Scripting vulnerability in the list view
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
30.7%
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial
RailsAdmin is a Rails engine that provides an interface for managing data. RailsAdmin list view has the XSS vulnerability, caused by improperly-escaped HTML title attribute. Upgrade to 3.1.3 or 2.2.2 (to be released).
CNA Affected
[
{
"vendor": "railsadminteam",
"product": "rails_admin",
"versions": [
{
"status": "affected",
"version": ">= 3.0.0, < 3.1.3"
},
{
"status": "affected",
"version": "< 2.3.0"
}
]
}
]References
github.com/railsadminteam/rails_admin/commit/b5a287d82e2cbd1737a1a01e11ede2911cce7fef
github.com/railsadminteam/rails_admin/commit/d84b39884059c4ed50197cec8522cca029a17673
github.com/railsadminteam/rails_admin/issues/3686
github.com/railsadminteam/rails_admin/security/advisories/GHSA-8qgm-g2vv-vwvc
rubygems.org/gems/rails_admin/versions/2.3.0
rubygems.org/gems/rails_admin/versions/3.1.3
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
30.7%
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial