Search for packages
| purl | pkg:gem/activesupport@4.0.0.beta1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1rxp-g9rz-4yb3
Aliases: CVE-2023-28120 GHSA-pj73-v5mw-pm9j GMS-2023-765 |
Possible XSS Security Vulnerability in SafeBuffer#bytesplice There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input. This vulnerability has been assigned the CVE identifier CVE-2023-28120. Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3 # Impact ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized. When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe. Ruby 3.2 introduced a new bytesplice method which ActiveSupport does not yet understand to be a mutation. Users on older versions of Ruby are likely unaffected. All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately. # Workarounds Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-3zdr-vasc-a7cn
Aliases: CVE-2009-3009 GHSA-8qrh-h9m2-5fvf OSV-57666 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper. | There are no reported fixed by versions. |
|
VCID-43f3-rxwm-fkgv
Aliases: CVE-2011-2932 GHSA-9fh3-vh3h-q4g3 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability." | There are no reported fixed by versions. |
|
VCID-6ku5-mtgz-zygw
Aliases: CVE-2023-22796 GHSA-j6gc-792m-qgm2 GMS-2023-61 |
Duplicate This advisory duplicates another. |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-7f5r-9h1g-nuch
Aliases: CVE-2009-3086 GHSA-fg9w-g6m4-557j |
Exposure of Sensitive Information to an Unauthorized Actor A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts. | There are no reported fixed by versions. |
|
VCID-ed3f-3bxh-eba4
Aliases: CVE-2015-3227 GHSA-j96r-xvjq-r9pg |
activesupport vulnerable to Denial of Service via large XML document depth The (1) `jdom.rb` and (2) `rexml.rb` components in Active Support in Ruby on Rails before 3.2.22, 4.1.x before 4.1.11, and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth. |
Affected by 6 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-j24x-nhsb-yug6
Aliases: CVE-2011-2197 GHSA-v9v4-7jp6-8c73 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method. | There are no reported fixed by versions. |
|
VCID-t2cx-7ycd-tqhq
Aliases: CVE-2015-3226 GHSA-vxvp-4xwc-jpp6 |
activesupport Cross-site Scripting vulnerability Cross-site scripting (XSS) vulnerability in `json/encoding.rb` in Active Support in Ruby on Rails 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding. |
Affected by 6 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-uudj-r63z-kban
Aliases: CVE-2013-1856 GHSA-9c2j-593q-3g82 OSV-91451 |
XML Parsing Vulnerability affecting JRuby users There is a vulnerability in the JDOM backend to ActiveSupport's XML parser. you should upgrade or use one of the work arounds immediately. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||