Cross-site Scripting in actionpack

GHSA-9chr-4fjh-5rgw

Published Oct 27, 2022 · Modified Mar 21, 2024

Description

actionpack from the Ruby on Rails project is vulnerable to Cross-site Scripting in the Route Error Page. This issue has been patched with this commit.

This vulnerability is disputed by the Rails security team. It requires that the developer is tricked into copy pasting a malicious javascript-containing string into a development-only error page accessible only via localhost.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-3704
WEB https://github.com/rails/rails/issues/46244
WEB https://github.com/rails/rails/issues/46244#issuecomment-1380875153
WEB https://github.com/rails/rails/pull/46269
WEB https://github.com/rails/rails/commit/be177e4566747b73ff63fd5f529fab564e475ed4
PACKAGE https://github.com/rails/rails
WEB https://vuldb.com/?id.212319

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes