CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-26143 – Rails Possible XSS Vulnerability in Action Controller
https://notcve.org/view.php?id=CVE-2024-26143
Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in "_html", a :default key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. The vulnerability is fixed in 7.1.3.1 and 7.0.8.1. Rails es un framework de aplicación web. • https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947 https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc https://github.com/rails/rails/commit/5187a9ef51980ad1b8e81945ebe0462d28f84f9e https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26143.yml https://security.netapp.com/advisory/ntap-20240510-0004 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-26142 – Rails possible ReDoS vulnerability in Accept header parsing in Action Dispatch
https://notcve.org/view.php?id=CVE-2024-26142
Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails es un framework de aplicación web. • https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946 https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272 https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml https://security.netapp.com/advisory/ntap-20240503-0003 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2015-2179
https://notcve.org/view.php?id=CVE-2015-2179
The xaviershay-dm-rails gem 0.10.3.8 for Ruby allows local users to discover MySQL credentials by listing a process and its arguments. xaviershay-dm-rails gem 0.10.3.8 para Ruby permite a los usuarios locales descubrir las credenciales de MySQL enumerando un proceso y sus argumentos. • http://www.vapid.dhs.org/advisory.php?v=115 •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-27849
https://notcve.org/view.php?id=CVE-2023-27849
rails-routes-to-json v1.0.0 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function. • https://github.com/omnitaint/Vulnerability-Reports/blob/2211ea4712f24d20b7f223fb737910fdfb041edb/reports/rails-routes-to-json/report.md https://www.npmjs.com/package/rails-routes-to-json • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2014-125054 – koroket RedditOnRails Vote access control
https://notcve.org/view.php?id=CVE-2014-125054
A vulnerability classified as critical was found in koroket RedditOnRails. This vulnerability affects unknown code of the component Vote Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The patch is identified as 7f3c7407d95d532fcc342b00d68d0ea09ca71030. • https://github.com/koroket/RedditOnRails/commit/7f3c7407d95d532fcc342b00d68d0ea09ca71030 https://vuldb.com/?ctiid.217594 https://vuldb.com/?id.217594 • CWE-284: Improper Access Control •