Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-1rxp-g9rz-4yb3
Vulnerability ID VCID-1rxp-g9rz-4yb3
Aliases CVE-2023-28120
GHSA-pj73-v5mw-pm9j
GMS-2023-765
Summary Possible XSS Security Vulnerability in SafeBuffer#bytesplice There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input. This vulnerability has been assigned the CVE identifier CVE-2023-28120. Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3 # Impact ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized. When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe. Ruby 3.2 introduced a new bytesplice method which ActiveSupport does not yet understand to be a mutation. Users on older versions of Ruby are likely unaffected. All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately. # Workarounds Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
System Score Found at
cvssv3 6.1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28120.json
epss 0.00395 https://api.first.org/data/v1/epss?cve=CVE-2023-28120
epss 0.00395 https://api.first.org/data/v1/epss?cve=CVE-2023-28120
epss 0.00395 https://api.first.org/data/v1/epss?cve=CVE-2023-28120
epss 0.00395 https://api.first.org/data/v1/epss?cve=CVE-2023-28120
epss 0.00395 https://api.first.org/data/v1/epss?cve=CVE-2023-28120
epss 0.00395 https://api.first.org/data/v1/epss?cve=CVE-2023-28120
epss 0.00395 https://api.first.org/data/v1/epss?cve=CVE-2023-28120
epss 0.00395 https://api.first.org/data/v1/epss?cve=CVE-2023-28120
cvssv3 5.3 https://discuss.rubyonrails.org/t/cve-2023-28120-possible-xss-security-vulnerability-in-safebuffer-bytesplice/82469
cvssv3.1 5.3 https://discuss.rubyonrails.org/t/cve-2023-28120-possible-xss-security-vulnerability-in-safebuffer-bytesplice/82469
generic_textual MODERATE https://discuss.rubyonrails.org/t/cve-2023-28120-possible-xss-security-vulnerability-in-safebuffer-bytesplice/82469
ssvc Track https://discuss.rubyonrails.org/t/cve-2023-28120-possible-xss-security-vulnerability-in-safebuffer-bytesplice/82469
cvssv3.1 4.2 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-pj73-v5mw-pm9j
cvssv3.1 5.3 https://github.com/rails/rails/commit/3cf23c3f891e2e81c977ea4ab83b62bc2a444b70
generic_textual MODERATE https://github.com/rails/rails/commit/3cf23c3f891e2e81c977ea4ab83b62bc2a444b70
ssvc Track https://github.com/rails/rails/commit/3cf23c3f891e2e81c977ea4ab83b62bc2a444b70
cvssv3.1 5.3 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-28120.yml
generic_textual MODERATE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-28120.yml
cvssv3.1 5.3 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW
generic_textual MODERATE https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW
cvssv3.1 5.3 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW/
ssvc Track https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW/
cvssv3.1 5.3 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO
generic_textual MODERATE https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO
cvssv3.1 5.3 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO/
ssvc Track https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO/
cvssv3.1 5.3 https://nvd.nist.gov/vuln/detail/CVE-2023-28120
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2023-28120
cvssv3.1 5.3 https://security.netapp.com/advisory/ntap-20240202-0006
generic_textual MODERATE https://security.netapp.com/advisory/ntap-20240202-0006
cvssv3.1 5.3 https://security.netapp.com/advisory/ntap-20240202-0006/
ssvc Track https://security.netapp.com/advisory/ntap-20240202-0006/
cvssv3.1 5.3 https://www.debian.org/security/2023/dsa-5389
generic_textual MODERATE https://www.debian.org/security/2023/dsa-5389
ssvc Track https://www.debian.org/security/2023/dsa-5389
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28120.json
https://api.first.org/data/v1/epss?cve=CVE-2023-28120
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23913
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28120
https://discuss.rubyonrails.org/t/cve-2023-28120-possible-xss-security-vulnerability-in-safebuffer-bytesplice/82469
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/rails/rails/commit/3cf23c3f891e2e81c977ea4ab83b62bc2a444b70
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO
https://security.netapp.com/advisory/ntap-20240202-0006
https://www.debian.org/security/2023/dsa-5389
1033262 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033262
2179637 https://bugzilla.redhat.com/show_bug.cgi?id=2179637
CVE-2023-28120 https://nvd.nist.gov/vuln/detail/CVE-2023-28120
CVE-2023-28120.YML https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-28120.yml
GHSA-pj73-v5mw-pm9j https://github.com/advisories/GHSA-pj73-v5mw-pm9j
ntap-20240202-0006 https://security.netapp.com/advisory/ntap-20240202-0006/
RHSA-2023:1953 https://access.redhat.com/errata/RHSA-2023:1953
RHSA-2023:3495 https://access.redhat.com/errata/RHSA-2023:3495
UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW/
ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28120.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://discuss.rubyonrails.org/t/cve-2023-28120-possible-xss-security-vulnerability-in-safebuffer-bytesplice/82469
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/ Found at https://discuss.rubyonrails.org/t/cve-2023-28120-possible-xss-security-vulnerability-in-safebuffer-bytesplice/82469
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/rails/rails/commit/3cf23c3f891e2e81c977ea4ab83b62bc2a444b70
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/ Found at https://github.com/rails/rails/commit/3cf23c3f891e2e81c977ea4ab83b62bc2a444b70
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-28120.yml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-28120
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://security.netapp.com/advisory/ntap-20240202-0006
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://security.netapp.com/advisory/ntap-20240202-0006/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/ Found at https://security.netapp.com/advisory/ntap-20240202-0006/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://www.debian.org/security/2023/dsa-5389
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/ Found at https://www.debian.org/security/2023/dsa-5389
Exploit Prediction Scoring System (EPSS)
Percentile 0.60323
EPSS Score 0.00395
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:51:00.797325+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/activesupport/GMS-2023-765.yml 38.0.0