Search for packages
| purl | pkg:gem/activesupport@4.2.9.rc1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1rxp-g9rz-4yb3
Aliases: CVE-2023-28120 GHSA-pj73-v5mw-pm9j GMS-2023-765 |
Possible XSS Security Vulnerability in SafeBuffer#bytesplice There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input. This vulnerability has been assigned the CVE identifier CVE-2023-28120. Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3 # Impact ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized. When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe. Ruby 3.2 introduced a new bytesplice method which ActiveSupport does not yet understand to be a mutation. Users on older versions of Ruby are likely unaffected. All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately. # Workarounds Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-3zdr-vasc-a7cn
Aliases: CVE-2009-3009 GHSA-8qrh-h9m2-5fvf OSV-57666 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper. | There are no reported fixed by versions. |
|
VCID-43f3-rxwm-fkgv
Aliases: CVE-2011-2932 GHSA-9fh3-vh3h-q4g3 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability." | There are no reported fixed by versions. |
|
VCID-6ku5-mtgz-zygw
Aliases: CVE-2023-22796 GHSA-j6gc-792m-qgm2 GMS-2023-61 |
Duplicate This advisory duplicates another. |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-7f5r-9h1g-nuch
Aliases: CVE-2009-3086 GHSA-fg9w-g6m4-557j |
Exposure of Sensitive Information to an Unauthorized Actor A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts. | There are no reported fixed by versions. |
|
VCID-j24x-nhsb-yug6
Aliases: CVE-2011-2197 GHSA-v9v4-7jp6-8c73 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||