Search for packages
| purl | pkg:gem/activesupport@7.0.2.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1rxp-g9rz-4yb3
Aliases: CVE-2023-28120 GHSA-pj73-v5mw-pm9j GMS-2023-765 |
Possible XSS Security Vulnerability in SafeBuffer#bytesplice There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input. This vulnerability has been assigned the CVE identifier CVE-2023-28120. Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3 # Impact ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized. When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe. Ruby 3.2 introduced a new bytesplice method which ActiveSupport does not yet understand to be a mutation. Users on older versions of Ruby are likely unaffected. All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately. # Workarounds Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input. |
Affected by 1 other vulnerability. |
|
VCID-6ku5-mtgz-zygw
Aliases: CVE-2023-22796 GHSA-j6gc-792m-qgm2 GMS-2023-61 |
Duplicate This advisory duplicates another. |
Affected by 3 other vulnerabilities. |
|
VCID-6pxd-xsaw-tuer
Aliases: CVE-2023-38037 GHSA-cr5q-6q9f-rq6q |
Active Support Possibly Discloses Locally Encrypted Files There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037. Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5 |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||