CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2022-22577 – rubygem-actionpack: Possible cross-site scripting vulnerability in Action Pack
https://notcve.org/view.php?id=CVE-2022-22577
26 May 2022 — An XSS Vulnerability in Action Pack >= 5.2.0 and < 5.2.0 that could allow an attacker to bypass CSP for non HTML like responses. Una vulnerabilidad de tipo XSS en Action Pack versiones posteriores a 5.2.0 incluyéndola y versiones anteriores a 5.2.0, que podría permitir a un atacante omitir el CSP para conseguir respuestas que no sean HTML A flaw was found in rubygem-actionpack where CSP headers were sent with responses that Rails considered "HTML" responses. This flaw allows an attacker to leave API request... • https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 1CVE-2022-27777 – tfm-rubygem-actionview: Possible cross-site scripting vulnerability in Action View tag helpers
https://notcve.org/view.php?id=CVE-2022-27777
26 May 2022 — A XSS Vulnerability in Action View tag helpers >= 5.2.0 and < 5.2.0 which would allow an attacker to inject content if able to control input into specific attributes. Una vulnerabilidad de tipo XSS en Action View tag helpers versiones posteriores a 5.2.0 incluyéndola y versiones anteriores a 5.2.0, que permitiría a un atacante inyectar contenido si es capaz de controlar la entrada en atributos específicos A flaw was found in rubygem-actionview when untrusted data such as the hash key for tag attributes are ... • https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •