Search CVE reports

11 – 20 of 148 results

Detailed view

Sort by:

CVE-2024-39308

Medium priority

Needs evaluation

RailsAdmin is a Rails engine that provides an interface for managing data. RailsAdmin list view has the XSS vulnerability, caused by improperly-escaped HTML title attribute. Upgrade to 3.1.3 or 2.2.2 (to be released).

1 affected package

ruby-rails-admin

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby-rails-admin	Not in release	Not in release	Not in release	Needs evaluation

CVE-2024-32464

Medium priority

Needs evaluation

Action Text brings rich text content and editing to Rails. Instances of ActionText::Attachable::ContentAttachment included within a rich_text_area tag could potentially contain unsanitized HTML. This vulnerability is fixed in...

1 affected package

rails

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
rails	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation

CVE-2024-28103

Medium priority

Needs evaluation

Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in...

1 affected package

rails

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
rails	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation

CVE-2024-26144

Medium priority

Needs evaluation

Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie...

7 affected packages

rails, ruby-rails-3.2, ruby-actionpack-3.2, ruby-activesupport-3.2, ruby-activerecord-3.2...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
rails	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation
ruby-rails-3.2	Not in release	Not in release	Not in release	Not in release
ruby-actionpack-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activesupport-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activerecord-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activemodel-3.2	Not in release	Not in release	Not in release	Not in release
rails-4.0	Not in release	Not in release	Not in release	Not in release

CVE-2024-26143

Medium priority

Needs evaluation

Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in...

7 affected packages

rails, ruby-rails-3.2, ruby-actionpack-3.2, ruby-activesupport-3.2, ruby-activerecord-3.2...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
rails	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation
ruby-rails-3.2	Not in release	Not in release	Not in release	Not in release
ruby-actionpack-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activesupport-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activerecord-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activemodel-3.2	Not in release	Not in release	Not in release	Not in release
rails-4.0	Not in release	Not in release	Not in release	Not in release

CVE-2024-26142

Medium priority

Needs evaluation

Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations...

7 affected packages

rails, ruby-rails-3.2, ruby-actionpack-3.2, ruby-activesupport-3.2, ruby-activerecord-3.2...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
rails	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation
ruby-rails-3.2	Not in release	Not in release	Not in release	Not in release
ruby-actionpack-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activesupport-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activerecord-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activemodel-3.2	Not in release	Not in release	Not in release	Not in release
rails-4.0	Not in release	Not in release	Not in release	Not in release

CVE-2023-38037

Medium priority

Needs evaluation

ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file's permissions are defaulted to the user's current `umask` settings, meaning that it's possible for other users on...

7 affected packages

rails, ruby-rails-3.2, ruby-actionpack-3.2, ruby-activesupport-3.2, ruby-activerecord-3.2...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
rails	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation
ruby-rails-3.2	Not in release	Not in release	Not in release	Not in release
ruby-actionpack-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activesupport-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activerecord-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activemodel-3.2	Not in release	Not in release	Not in release	Not in release
rails-4.0	Not in release	Not in release	Not in release	Not in release

CVE-2023-28362

Medium priority

Needs evaluation

The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers...

7 affected packages

rails, ruby-rails-3.2, ruby-actionpack-3.2, ruby-activesupport-3.2, ruby-activerecord-3.2...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
rails	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation
ruby-rails-3.2	Not in release	Not in release	Not in release	Not in release
ruby-actionpack-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activesupport-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activerecord-3.2	Not in release	Not in release	Not in release	Not in release
ruby-activemodel-3.2	Not in release	Not in release	Not in release	Not in release
rails-4.0	Not in release	Not in release	Not in release	Not in release

CVE-2023-28120

Medium priority

Needs evaluation

There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.

7 affected packages

ruby-activemodel-3.2, ruby-activerecord-3.2, ruby-activesupport-3.2, ruby-rails-3.2, rails...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby-activemodel-3.2	—	Not in release	Not in release	Not in release
ruby-activerecord-3.2	—	Not in release	Not in release	Not in release
ruby-activesupport-3.2	—	Not in release	Not in release	Not in release
ruby-rails-3.2	—	Not in release	Not in release	Not in release
rails	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation
rails-4.0	—	Not in release	Not in release	Not in release
ruby-actionpack-3.2	—	Not in release	Not in release	Not in release

CVE-2023-23913

Medium priority

Needs evaluation

There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when...

7 affected packages

rails-4.0, ruby-activemodel-3.2, ruby-activerecord-3.2, ruby-activesupport-3.2, rails...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
rails-4.0	—	Not in release	Not in release	Not in release
ruby-activemodel-3.2	—	Not in release	Not in release	Not in release
ruby-activerecord-3.2	—	Not in release	Not in release	Not in release
ruby-activesupport-3.2	—	Not in release	Not in release	Not in release
rails	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation
ruby-actionpack-3.2	—	Not in release	Not in release	Not in release
ruby-rails-3.2	—	Not in release	Not in release	Not in release

Export to JSON

Results by page: