| 0 |
|
| 1 |
| url |
VCID-4wmv-rurk-tub6 |
| vulnerability_id |
VCID-4wmv-rurk-tub6 |
| summary |
Possible XSS Security Vulnerability in SafeBuffer#bytesplice
There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.
This vulnerability has been assigned the CVE identifier CVE-2023-28120.
Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3
# Impact
ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized.
When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe.
Ruby 3.2 introduced a new bytesplice method which ActiveSupport did not yet understand to be a mutation.
Users on older versions of Ruby are likely unaffected.
All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately.
# Workarounds
Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-28120, GHSA-pj73-v5mw-pm9j, GMS-2023-765
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4wmv-rurk-tub6 |
|
| 2 |
| url |
VCID-71et-13y6-eufu |
| vulnerability_id |
VCID-71et-13y6-eufu |
| summary |
activesupport vulnerable to Denial of Service via large XML document depth
The (1) `jdom.rb` and (2) `rexml.rb` components in Active Support in Ruby on Rails before 3.2.22, 4.1.x before 4.1.11, and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
|
| fixed_packages |
|
| aliases |
CVE-2015-3227, GHSA-j96r-xvjq-r9pg
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-71et-13y6-eufu |
|
| 3 |
| url |
VCID-a97j-j4a4-7bg1 |
| vulnerability_id |
VCID-a97j-j4a4-7bg1 |
| summary |
activesupport Cross-site Scripting vulnerability
Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/activesupport@3.0.12 |
| purl |
pkg:gem/activesupport@3.0.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ghz-4sfg-2feh |
|
| 1 |
| vulnerability |
VCID-4wmv-rurk-tub6 |
|
| 2 |
| vulnerability |
VCID-71et-13y6-eufu |
|
| 3 |
| vulnerability |
VCID-b5he-f8nq-9yda |
|
| 4 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 5 |
| vulnerability |
VCID-e4wh-thvg-5kdk |
|
| 6 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 7 |
| vulnerability |
VCID-g8nb-cs9p-b7dc |
|
| 8 |
| vulnerability |
VCID-hdsb-jx4g-fqf6 |
|
| 9 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 10 |
| vulnerability |
VCID-qswy-ngsk-yfhy |
|
| 11 |
| vulnerability |
VCID-qvc6-ev84-fkbd |
|
| 12 |
| vulnerability |
VCID-v3mu-95kt-ufc6 |
|
| 13 |
| vulnerability |
VCID-z8t9-md9f-qfde |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@3.0.12 |
|
| 1 |
| url |
pkg:gem/activesupport@3.1.0.beta1 |
| purl |
pkg:gem/activesupport@3.1.0.beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ghz-4sfg-2feh |
|
| 1 |
| vulnerability |
VCID-4wmv-rurk-tub6 |
|
| 2 |
| vulnerability |
VCID-71et-13y6-eufu |
|
| 3 |
| vulnerability |
VCID-a97j-j4a4-7bg1 |
|
| 4 |
| vulnerability |
VCID-b5he-f8nq-9yda |
|
| 5 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 6 |
| vulnerability |
VCID-e4wh-thvg-5kdk |
|
| 7 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 8 |
| vulnerability |
VCID-g8nb-cs9p-b7dc |
|
| 9 |
| vulnerability |
VCID-hdsb-jx4g-fqf6 |
|
| 10 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 11 |
| vulnerability |
VCID-qswy-ngsk-yfhy |
|
| 12 |
| vulnerability |
VCID-qvc6-ev84-fkbd |
|
| 13 |
| vulnerability |
VCID-v3mu-95kt-ufc6 |
|
| 14 |
| vulnerability |
VCID-z8t9-md9f-qfde |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@3.1.0.beta1 |
|
| 2 |
| url |
pkg:gem/activesupport@3.1.4 |
| purl |
pkg:gem/activesupport@3.1.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ghz-4sfg-2feh |
|
| 1 |
| vulnerability |
VCID-4wmv-rurk-tub6 |
|
| 2 |
| vulnerability |
VCID-71et-13y6-eufu |
|
| 3 |
| vulnerability |
VCID-b5he-f8nq-9yda |
|
| 4 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 5 |
| vulnerability |
VCID-e4wh-thvg-5kdk |
|
| 6 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 7 |
| vulnerability |
VCID-g8nb-cs9p-b7dc |
|
| 8 |
| vulnerability |
VCID-hdsb-jx4g-fqf6 |
|
| 9 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 10 |
| vulnerability |
VCID-qswy-ngsk-yfhy |
|
| 11 |
| vulnerability |
VCID-qvc6-ev84-fkbd |
|
| 12 |
| vulnerability |
VCID-v3mu-95kt-ufc6 |
|
| 13 |
| vulnerability |
VCID-z8t9-md9f-qfde |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@3.1.4 |
|
| 3 |
| url |
pkg:gem/activesupport@3.2.0.rc1 |
| purl |
pkg:gem/activesupport@3.2.0.rc1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ghz-4sfg-2feh |
|
| 1 |
| vulnerability |
VCID-4wmv-rurk-tub6 |
|
| 2 |
| vulnerability |
VCID-71et-13y6-eufu |
|
| 3 |
| vulnerability |
VCID-a97j-j4a4-7bg1 |
|
| 4 |
| vulnerability |
VCID-b5he-f8nq-9yda |
|
| 5 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 6 |
| vulnerability |
VCID-e4wh-thvg-5kdk |
|
| 7 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 8 |
| vulnerability |
VCID-g8nb-cs9p-b7dc |
|
| 9 |
| vulnerability |
VCID-hdsb-jx4g-fqf6 |
|
| 10 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 11 |
| vulnerability |
VCID-qswy-ngsk-yfhy |
|
| 12 |
| vulnerability |
VCID-qvc6-ev84-fkbd |
|
| 13 |
| vulnerability |
VCID-v3mu-95kt-ufc6 |
|
| 14 |
| vulnerability |
VCID-z8t9-md9f-qfde |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@3.2.0.rc1 |
|
| 4 |
| url |
pkg:gem/activesupport@3.2.2 |
| purl |
pkg:gem/activesupport@3.2.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ghz-4sfg-2feh |
|
| 1 |
| vulnerability |
VCID-4wmv-rurk-tub6 |
|
| 2 |
| vulnerability |
VCID-71et-13y6-eufu |
|
| 3 |
| vulnerability |
VCID-b5he-f8nq-9yda |
|
| 4 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 5 |
| vulnerability |
VCID-e4wh-thvg-5kdk |
|
| 6 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 7 |
| vulnerability |
VCID-g8nb-cs9p-b7dc |
|
| 8 |
| vulnerability |
VCID-hdsb-jx4g-fqf6 |
|
| 9 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 10 |
| vulnerability |
VCID-qswy-ngsk-yfhy |
|
| 11 |
| vulnerability |
VCID-qvc6-ev84-fkbd |
|
| 12 |
| vulnerability |
VCID-v3mu-95kt-ufc6 |
|
| 13 |
| vulnerability |
VCID-z8t9-md9f-qfde |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@3.2.2 |
|
|
| aliases |
CVE-2012-1098, GHSA-qv8p-v9qw-wc7g, OSV-79726
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-a97j-j4a4-7bg1 |
|
| 4 |
| url |
VCID-b5he-f8nq-9yda |
| vulnerability_id |
VCID-b5he-f8nq-9yda |
| summary |
ReDoS based DoS vulnerability in Active Support's underscore
There is a possible regular expression based DoS vulnerability in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-22796.
Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS, which is a paid service and not part of the rubygem), 6.1.7.1, 7.0.4.1
Impact
A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.
This affects String#underscore, ActiveSupport::Inflector.underscore, String#titleize, and any other methods using these.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The FIXED releases are available at the normal locations.
Workarounds
There are no feasible workarounds for this issue.
Users on Ruby 3.2.0 or greater may be able to reduce the impact by configuring Regexp.timeout.
Patches
To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
6-1-Avoid-regex-backtracking-in-Inflector.underscore.patch - Patch for 6.1 series
7-0-Avoid-regex-backtracking-in-Inflector.underscore.patch - Patch for 7.0 series
Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-22796, GHSA-j6gc-792m-qgm2, GMS-2023-61
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-b5he-f8nq-9yda |
|
| 5 |
| url |
VCID-bfbp-7umh-2fcp |
| vulnerability_id |
VCID-bfbp-7umh-2fcp |
| summary |
actionpack and activesupport vulnerable to information leaks
A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-3086, GHSA-fg9w-g6m4-557j
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bfbp-7umh-2fcp |
|
| 6 |
| url |
VCID-e4wh-thvg-5kdk |
| vulnerability_id |
VCID-e4wh-thvg-5kdk |
| summary |
activesupport Cross-site Scripting vulnerability
Cross-site scripting (XSS) vulnerability in `activesupport/lib/active_support/core_ext/string/output_safety.r`b in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability." |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/activesupport@3.0.10 |
| purl |
pkg:gem/activesupport@3.0.10 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ghz-4sfg-2feh |
|
| 1 |
| vulnerability |
VCID-4wmv-rurk-tub6 |
|
| 2 |
| vulnerability |
VCID-71et-13y6-eufu |
|
| 3 |
| vulnerability |
VCID-a97j-j4a4-7bg1 |
|
| 4 |
| vulnerability |
VCID-b5he-f8nq-9yda |
|
| 5 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 6 |
| vulnerability |
VCID-e4wh-thvg-5kdk |
|
| 7 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 8 |
| vulnerability |
VCID-g8nb-cs9p-b7dc |
|
| 9 |
| vulnerability |
VCID-hdsb-jx4g-fqf6 |
|
| 10 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 11 |
| vulnerability |
VCID-qswy-ngsk-yfhy |
|
| 12 |
| vulnerability |
VCID-qvc6-ev84-fkbd |
|
| 13 |
| vulnerability |
VCID-v3mu-95kt-ufc6 |
|
| 14 |
| vulnerability |
VCID-z8t9-md9f-qfde |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@3.0.10 |
|
| 1 |
| url |
pkg:gem/activesupport@3.1.0 |
| purl |
pkg:gem/activesupport@3.1.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ghz-4sfg-2feh |
|
| 1 |
| vulnerability |
VCID-4wmv-rurk-tub6 |
|
| 2 |
| vulnerability |
VCID-71et-13y6-eufu |
|
| 3 |
| vulnerability |
VCID-a97j-j4a4-7bg1 |
|
| 4 |
| vulnerability |
VCID-b5he-f8nq-9yda |
|
| 5 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 6 |
| vulnerability |
VCID-e4wh-thvg-5kdk |
|
| 7 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 8 |
| vulnerability |
VCID-g8nb-cs9p-b7dc |
|
| 9 |
| vulnerability |
VCID-hdsb-jx4g-fqf6 |
|
| 10 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 11 |
| vulnerability |
VCID-qswy-ngsk-yfhy |
|
| 12 |
| vulnerability |
VCID-qvc6-ev84-fkbd |
|
| 13 |
| vulnerability |
VCID-v3mu-95kt-ufc6 |
|
| 14 |
| vulnerability |
VCID-z8t9-md9f-qfde |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@3.1.0 |
|
|
| aliases |
CVE-2011-2932, GHSA-9fh3-vh3h-q4g3
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e4wh-thvg-5kdk |
|
| 7 |
| url |
VCID-ejgq-s79w-abd6 |
| vulnerability_id |
VCID-ejgq-s79w-abd6 |
| summary |
rails Cross-site Scripting vulnerability
The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-2197, GHSA-v9v4-7jp6-8c73
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ejgq-s79w-abd6 |
|
| 8 |
| url |
VCID-g8nb-cs9p-b7dc |
| vulnerability_id |
VCID-g8nb-cs9p-b7dc |
| summary |
activesupport Cross-site Scripting vulnerability
Cross-site scripting (XSS) vulnerability in `json/encoding.rb` in Active Support in Ruby on Rails 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
|
| fixed_packages |
|
| aliases |
CVE-2015-3226, GHSA-vxvp-4xwc-jpp6
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-g8nb-cs9p-b7dc |
|
| 9 |
| url |
VCID-hdsb-jx4g-fqf6 |
| vulnerability_id |
VCID-hdsb-jx4g-fqf6 |
| summary |
Rails: Active Support: Active Support: Cross-Site Scripting (XSS) due to improper HTML safety flag propagation in SafeBuffer#% |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-33170, GHSA-89vf-4333-qx8v
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hdsb-jx4g-fqf6 |
|
| 10 |
| url |
VCID-n7kh-9mpq-13c7 |
| vulnerability_id |
VCID-n7kh-9mpq-13c7 |
| summary |
Cross site scripting that affects rails
Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-3009, GHSA-8qrh-h9m2-5fvf, OSV-57666
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-n7kh-9mpq-13c7 |
|
| 11 |
| url |
VCID-qswy-ngsk-yfhy |
| vulnerability_id |
VCID-qswy-ngsk-yfhy |
| summary |
activesupport Cross-site Scripting vulnerability
Cross-site scripting (XSS) vulnerability in `activesupport/lib/active_support/core_ext/string/output_safety.rb` in Ruby on Rails before 2.3.16, 3.0.x before , 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/activesupport@3.0.17 |
| purl |
pkg:gem/activesupport@3.0.17 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ghz-4sfg-2feh |
|
| 1 |
| vulnerability |
VCID-4wmv-rurk-tub6 |
|
| 2 |
| vulnerability |
VCID-71et-13y6-eufu |
|
| 3 |
| vulnerability |
VCID-b5he-f8nq-9yda |
|
| 4 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 5 |
| vulnerability |
VCID-e4wh-thvg-5kdk |
|
| 6 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 7 |
| vulnerability |
VCID-g8nb-cs9p-b7dc |
|
| 8 |
| vulnerability |
VCID-hdsb-jx4g-fqf6 |
|
| 9 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 10 |
| vulnerability |
VCID-qvc6-ev84-fkbd |
|
| 11 |
| vulnerability |
VCID-v3mu-95kt-ufc6 |
|
| 12 |
| vulnerability |
VCID-z8t9-md9f-qfde |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@3.0.17 |
|
| 1 |
| url |
pkg:gem/activesupport@3.1.0.beta1 |
| purl |
pkg:gem/activesupport@3.1.0.beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ghz-4sfg-2feh |
|
| 1 |
| vulnerability |
VCID-4wmv-rurk-tub6 |
|
| 2 |
| vulnerability |
VCID-71et-13y6-eufu |
|
| 3 |
| vulnerability |
VCID-a97j-j4a4-7bg1 |
|
| 4 |
| vulnerability |
VCID-b5he-f8nq-9yda |
|
| 5 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 6 |
| vulnerability |
VCID-e4wh-thvg-5kdk |
|
| 7 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 8 |
| vulnerability |
VCID-g8nb-cs9p-b7dc |
|
| 9 |
| vulnerability |
VCID-hdsb-jx4g-fqf6 |
|
| 10 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 11 |
| vulnerability |
VCID-qswy-ngsk-yfhy |
|
| 12 |
| vulnerability |
VCID-qvc6-ev84-fkbd |
|
| 13 |
| vulnerability |
VCID-v3mu-95kt-ufc6 |
|
| 14 |
| vulnerability |
VCID-z8t9-md9f-qfde |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@3.1.0.beta1 |
|
| 2 |
| url |
pkg:gem/activesupport@3.1.8 |
| purl |
pkg:gem/activesupport@3.1.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ghz-4sfg-2feh |
|
| 1 |
| vulnerability |
VCID-4wmv-rurk-tub6 |
|
| 2 |
| vulnerability |
VCID-71et-13y6-eufu |
|
| 3 |
| vulnerability |
VCID-b5he-f8nq-9yda |
|
| 4 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 5 |
| vulnerability |
VCID-e4wh-thvg-5kdk |
|
| 6 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 7 |
| vulnerability |
VCID-g8nb-cs9p-b7dc |
|
| 8 |
| vulnerability |
VCID-hdsb-jx4g-fqf6 |
|
| 9 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 10 |
| vulnerability |
VCID-qvc6-ev84-fkbd |
|
| 11 |
| vulnerability |
VCID-v3mu-95kt-ufc6 |
|
| 12 |
| vulnerability |
VCID-z8t9-md9f-qfde |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@3.1.8 |
|
| 3 |
| url |
pkg:gem/activesupport@3.2.0.rc1 |
| purl |
pkg:gem/activesupport@3.2.0.rc1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ghz-4sfg-2feh |
|
| 1 |
| vulnerability |
VCID-4wmv-rurk-tub6 |
|
| 2 |
| vulnerability |
VCID-71et-13y6-eufu |
|
| 3 |
| vulnerability |
VCID-a97j-j4a4-7bg1 |
|
| 4 |
| vulnerability |
VCID-b5he-f8nq-9yda |
|
| 5 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 6 |
| vulnerability |
VCID-e4wh-thvg-5kdk |
|
| 7 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 8 |
| vulnerability |
VCID-g8nb-cs9p-b7dc |
|
| 9 |
| vulnerability |
VCID-hdsb-jx4g-fqf6 |
|
| 10 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 11 |
| vulnerability |
VCID-qswy-ngsk-yfhy |
|
| 12 |
| vulnerability |
VCID-qvc6-ev84-fkbd |
|
| 13 |
| vulnerability |
VCID-v3mu-95kt-ufc6 |
|
| 14 |
| vulnerability |
VCID-z8t9-md9f-qfde |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@3.2.0.rc1 |
|
| 4 |
| url |
pkg:gem/activesupport@3.2.8 |
| purl |
pkg:gem/activesupport@3.2.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ghz-4sfg-2feh |
|
| 1 |
| vulnerability |
VCID-4wmv-rurk-tub6 |
|
| 2 |
| vulnerability |
VCID-71et-13y6-eufu |
|
| 3 |
| vulnerability |
VCID-b5he-f8nq-9yda |
|
| 4 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 5 |
| vulnerability |
VCID-e4wh-thvg-5kdk |
|
| 6 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 7 |
| vulnerability |
VCID-g8nb-cs9p-b7dc |
|
| 8 |
| vulnerability |
VCID-hdsb-jx4g-fqf6 |
|
| 9 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 10 |
| vulnerability |
VCID-qvc6-ev84-fkbd |
|
| 11 |
| vulnerability |
VCID-v3mu-95kt-ufc6 |
|
| 12 |
| vulnerability |
VCID-z8t9-md9f-qfde |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@3.2.8 |
|
|
| aliases |
CVE-2012-3464, GHSA-h835-75hw-pj89, OSV-84516
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qswy-ngsk-yfhy |
|
| 12 |
| url |
VCID-qvc6-ev84-fkbd |
| vulnerability_id |
VCID-qvc6-ev84-fkbd |
| summary |
activesupport in Rails vulnerable to incorrect data conversion
`lib/active_support/json/backends/yaml.rb` in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/activesupport@3.0.20 |
| purl |
pkg:gem/activesupport@3.0.20 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ghz-4sfg-2feh |
|
| 1 |
| vulnerability |
VCID-4wmv-rurk-tub6 |
|
| 2 |
| vulnerability |
VCID-71et-13y6-eufu |
|
| 3 |
| vulnerability |
VCID-b5he-f8nq-9yda |
|
| 4 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 5 |
| vulnerability |
VCID-e4wh-thvg-5kdk |
|
| 6 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 7 |
| vulnerability |
VCID-g8nb-cs9p-b7dc |
|
| 8 |
| vulnerability |
VCID-hdsb-jx4g-fqf6 |
|
| 9 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 10 |
| vulnerability |
VCID-v3mu-95kt-ufc6 |
|
| 11 |
| vulnerability |
VCID-z8t9-md9f-qfde |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@3.0.20 |
|
| 1 |
| url |
pkg:gem/activesupport@3.1.0.beta1 |
| purl |
pkg:gem/activesupport@3.1.0.beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ghz-4sfg-2feh |
|
| 1 |
| vulnerability |
VCID-4wmv-rurk-tub6 |
|
| 2 |
| vulnerability |
VCID-71et-13y6-eufu |
|
| 3 |
| vulnerability |
VCID-a97j-j4a4-7bg1 |
|
| 4 |
| vulnerability |
VCID-b5he-f8nq-9yda |
|
| 5 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 6 |
| vulnerability |
VCID-e4wh-thvg-5kdk |
|
| 7 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 8 |
| vulnerability |
VCID-g8nb-cs9p-b7dc |
|
| 9 |
| vulnerability |
VCID-hdsb-jx4g-fqf6 |
|
| 10 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 11 |
| vulnerability |
VCID-qswy-ngsk-yfhy |
|
| 12 |
| vulnerability |
VCID-qvc6-ev84-fkbd |
|
| 13 |
| vulnerability |
VCID-v3mu-95kt-ufc6 |
|
| 14 |
| vulnerability |
VCID-z8t9-md9f-qfde |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@3.1.0.beta1 |
|
|
| aliases |
CVE-2013-0333, GHSA-xgr2-v94m-rc9g, OSV-89594
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qvc6-ev84-fkbd |
|
| 13 |
|
| 14 |
| url |
VCID-z8t9-md9f-qfde |
| vulnerability_id |
VCID-z8t9-md9f-qfde |
| summary |
activesupport Improper Input Validation vulnerability
The `ActiveSupport::XmlMini_JDOM` backend in `lib/active_support/xml_mini/jdom.rb` in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/activesupport@3.1.12 |
| purl |
pkg:gem/activesupport@3.1.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ghz-4sfg-2feh |
|
| 1 |
| vulnerability |
VCID-4wmv-rurk-tub6 |
|
| 2 |
| vulnerability |
VCID-71et-13y6-eufu |
|
| 3 |
| vulnerability |
VCID-b5he-f8nq-9yda |
|
| 4 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 5 |
| vulnerability |
VCID-e4wh-thvg-5kdk |
|
| 6 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 7 |
| vulnerability |
VCID-g8nb-cs9p-b7dc |
|
| 8 |
| vulnerability |
VCID-hdsb-jx4g-fqf6 |
|
| 9 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 10 |
| vulnerability |
VCID-v3mu-95kt-ufc6 |
|
| 11 |
| vulnerability |
VCID-z8t9-md9f-qfde |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@3.1.12 |
|
| 1 |
| url |
pkg:gem/activesupport@3.2.13 |
| purl |
pkg:gem/activesupport@3.2.13 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ghz-4sfg-2feh |
|
| 1 |
| vulnerability |
VCID-4wmv-rurk-tub6 |
|
| 2 |
| vulnerability |
VCID-71et-13y6-eufu |
|
| 3 |
| vulnerability |
VCID-b5he-f8nq-9yda |
|
| 4 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 5 |
| vulnerability |
VCID-e4wh-thvg-5kdk |
|
| 6 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 7 |
| vulnerability |
VCID-g8nb-cs9p-b7dc |
|
| 8 |
| vulnerability |
VCID-hdsb-jx4g-fqf6 |
|
| 9 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 10 |
| vulnerability |
VCID-v3mu-95kt-ufc6 |
|
| 11 |
| vulnerability |
VCID-z8t9-md9f-qfde |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@3.2.13 |
|
|
| aliases |
CVE-2013-1856, GHSA-9c2j-593q-3g82, OSV-91451
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-z8t9-md9f-qfde |
|