CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43398 – REXML denial of service vulnerability
https://notcve.org/view.php?id=CVE-2024-43398
22 Aug 2024 — REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability. • https://github.com/ruby/rexml/releases/tag/v3.3.6 • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVSS: 8.7EPSS: 2%CPEs: 1EXPL: 0CVE-2024-41946 – REXML DoS vulnerability
https://notcve.org/view.php?id=CVE-2024-41946
01 Aug 2024 — REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability. A flaw was found in the REXML package. Reading an XML file that contains many entity expansions may lead to a denial of service due to resource starvation. • https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41123 – REXML DoS vulnerability
https://notcve.org/view.php?id=CVE-2024-41123
01 Aug 2024 — REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, `>]` and `]>`. The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities. A vulnerability was found in REXML, an XML toolkit used for Ruby. When parsing an untrusted XML with many specific characters, the REXML gem may take a long time, leading to a denial of service condition. • https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.7EPSS: 3%CPEs: 1EXPL: 1CVE-2024-39908 – Denial of service in REXML
https://notcve.org/view.php?id=CVE-2024-39908
16 Jul 2024 — REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. • https://github.com/SpiralBL0CK/CVE-2024-39908 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.7EPSS: 3%CPEs: 1EXPL: 1CVE-2024-35176 – REXML contains a denial of service vulnerability
https://notcve.org/view.php?id=CVE-2024-35176
16 May 2024 — REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs. • https://github.com/SpiralBL0CK/CVE-2024-35176 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-32970 – Cross-site Scripting (XSS) possible with maliciously formed HTML attribute names and values in Phlex
https://notcve.org/view.php?id=CVE-2024-32970
30 Apr 2024 — Phlex is a framework for building object-oriented views in Ruby. In affected versions there is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. Since the last two vulnerabilities https://github.com/phlex-ruby/phlex/security/advisories/GHSA-242p-4v39-2v8g and https://github.com/phlex-ruby/phlex/security/advisories/GHSA-g7xq-xv8c-h98c, we have invested in extensive browser tests. It was these new tests that helped us uncover these issues. As of now ... • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-32463 – phlex makes Cross-site Scripting (XSS) possible due to improper sanitisation of `href` attributes on `<a>` tags
https://notcve.org/view.php?id=CVE-2024-32463
17 Apr 2024 — phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. The filter to detect and prevent the use of the `javascript:` URL scheme in the `href` attribute of an `` tag could be bypassed with tab `\t` or newline `\n` characters between the characters of the protocol, e.g. `java\tscript:`. This vulnerability is fixed in 1.10.1, 1.9.2, 1.8.3, 1.7.2, 1.6.3, 1.5.3, and 1.4... • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 0%CPEs: 10EXPL: 0CVE-2024-28199 – Cross-site Scripting (XSS) possible with maliciously formed HTML attribute names and values in Phlex
https://notcve.org/view.php?id=CVE-2024-28199
11 Mar 2024 — phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This was due to improper case-sensitivity in the code that was meant to prevent these attacks. If you render an `` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user. If you splat user-provided attributes when rendering any HTML ... • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 1%CPEs: 2EXPL: 0CVE-2023-36617 – rubygem-uri: ReDoS vulnerability - upstream's incomplete fix for CVE-2023-28755
https://notcve.org/view.php?id=CVE-2023-36617
29 Jun 2023 — A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version. • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF • CWE-185: Incorrect Regular Expression CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 5.3EPSS: 0%CPEs: 8EXPL: 0CVE-2023-28755 – ruby: ReDoS vulnerability in URI
https://notcve.org/view.php?id=CVE-2023-28755
31 Mar 2023 — A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1. A flaw was found in the rubygem URI. • https://github.com/ruby/uri/releases • CWE-20: Improper Input Validation CWE-1333: Inefficient Regular Expression Complexity •