VulnerableCode Package Details - pkg:gem/rails@7.0.8

Search for packages

Vulnerability	Summary	Fixed by
VCID-5bh7-drnb-7ygg Aliases: CVE-2024-26143 GHSA-9822-6m93-xqf4	Rails has possible XSS Vulnerability in Action Controller # Possible XSS Vulnerability in Action Controller There is a possible XSS vulnerability when using the translation helpers (`translate`, `t`, etc) in Action Controller. This vulnerability has been assigned the CVE identifier CVE-2024-26143. Versions Affected: >= 7.0.0. Not affected: < 7.0.0 Fixed Versions: 7.1.3.1, 7.0.8.1 Impact ------ Applications using translation methods like `translate`, or `t` on a controller, with a key ending in "_html", a `:default` key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. For example, impacted code will look something like this: ```ruby class ArticlesController < ApplicationController def show @message = t("message_html", default: untrusted_input) # The `show` template displays the contents of `@message` end end ``` To reiterate the pre-conditions, applications must: * Use a translation function from a controller (i.e. _not_ I18n.t, or `t` from a view) * Use a key that ends in `_html` * Use a default value where the default value is untrusted and unescaped input * Send the text to the victim (whether that's part of a template, or a `render` call) All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- There are no feasible workarounds for this issue. Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 7-0-translate-xss.patch - Patch for 7.0 series * 7-1-translate-xss.patch - Patch for 7.1 series Credits ------- Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the patch and fix!	7.0.8.1 Affected by 0 other vulnerabilities. 7.1.3.1 Affected by 0 other vulnerabilities.
VCID-65tq-e5eb-eucj Aliases: CVE-2024-26144 GHSA-8h22-8cf7-hq6g	Rails has possible Sensitive Session Information Leak in Active Storage # Possible Sensitive Session Information Leak in Active Storage There is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a `Set-Cookie` header along with the user's session cookie when serving blobs. It also sets `Cache-Control` to public. Certain proxies may cache the Set-Cookie, leading to an information leak. This vulnerability has been assigned the CVE identifier CVE-2024-26144. Versions Affected: >= 5.2.0, < 7.1.0 Not affected: < 5.2.0, > 7.1.0 Fixed Versions: 7.0.8.1, 6.1.7.7 Impact ------ A proxy which chooses to caches this request can cause users to share sessions. This may include a user receiving an attacker's session or vice versa. This was patched in 7.1.0 but not previously identified as a security vulnerability. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Upgrade to Rails 7.1.X, or configure caching proxies not to cache the Set-Cookie headers. Credits ------- Thanks to [tyage](https://hackerone.com/tyage) for reporting this!	7.0.8.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-5bh7-drnb-7ygg
Aliases:
CVE-2024-26143
GHSA-9822-6m93-xqf4

Rails has possible XSS Vulnerability in Action Controller # Possible XSS Vulnerability in Action Controller There is a possible XSS vulnerability when using the translation helpers (`translate`, `t`, etc) in Action Controller. This vulnerability has been assigned the CVE identifier CVE-2024-26143. Versions Affected: >= 7.0.0. Not affected: < 7.0.0 Fixed Versions: 7.1.3.1, 7.0.8.1 Impact ------ Applications using translation methods like `translate`, or `t` on a controller, with a key ending in "_html", a `:default` key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. For example, impacted code will look something like this: ```ruby class ArticlesController < ApplicationController def show @message = t("message_html", default: untrusted_input) # The `show` template displays the contents of `@message` end end ``` To reiterate the pre-conditions, applications must: * Use a translation function from a controller (i.e. _not_ I18n.t, or `t` from a view) * Use a key that ends in `_html` * Use a default value where the default value is untrusted and unescaped input * Send the text to the victim (whether that's part of a template, or a `render` call) All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- There are no feasible workarounds for this issue. Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 7-0-translate-xss.patch - Patch for 7.0 series * 7-1-translate-xss.patch - Patch for 7.1 series Credits ------- Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the patch and fix!

7.0.8.1
Affected by 0 other vulnerabilities.

7.1.3.1
Affected by 0 other vulnerabilities.

VCID-65tq-e5eb-eucj
Aliases:
CVE-2024-26144
GHSA-8h22-8cf7-hq6g

Rails has possible Sensitive Session Information Leak in Active Storage # Possible Sensitive Session Information Leak in Active Storage There is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a `Set-Cookie` header along with the user's session cookie when serving blobs. It also sets `Cache-Control` to public. Certain proxies may cache the Set-Cookie, leading to an information leak. This vulnerability has been assigned the CVE identifier CVE-2024-26144. Versions Affected: >= 5.2.0, < 7.1.0 Not affected: < 5.2.0, > 7.1.0 Fixed Versions: 7.0.8.1, 6.1.7.7 Impact ------ A proxy which chooses to caches this request can cause users to share sessions. This may include a user receiving an attacker's session or vice versa. This was patched in 7.1.0 but not previously identified as a security vulnerability. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Upgrade to Rails 7.1.X, or configure caching proxies not to cache the Set-Cookie headers. Credits ------- Thanks to [tyage](https://hackerone.com/tyage) for reporting this!

7.0.8.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T22:52:39.817177+00:00	GitLab Importer	Affected by	VCID-65tq-e5eb-eucj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2024-26144.yml	38.4.0
2026-04-16T22:52:35.745653+00:00	GitLab Importer	Affected by	VCID-5bh7-drnb-7ygg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2024-26143.yml	38.4.0
2026-04-12T00:11:15.997754+00:00	GitLab Importer	Affected by	VCID-65tq-e5eb-eucj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2024-26144.yml	38.3.0
2026-04-12T00:11:14.291474+00:00	GitLab Importer	Affected by	VCID-5bh7-drnb-7ygg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2024-26143.yml	38.3.0
2026-04-03T00:17:16.977660+00:00	GitLab Importer	Affected by	VCID-65tq-e5eb-eucj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2024-26144.yml	38.1.0
2026-04-03T00:17:12.718410+00:00	GitLab Importer	Affected by	VCID-5bh7-drnb-7ygg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2024-26143.yml	38.1.0