CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-28103 – Action Pack is missing security headers on non-HTML responses
https://notcve.org/view.php?id=CVE-2024-28103
Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in 6.1.7.8, 7.0.8.2, and 7.1.3.3. Action Pack es un framework para manejar y responder a solicitudes web. Desde 6.1.0, la Política de permisos configurable de la aplicación solo se ofrece en respuestas con un tipo de contenido relacionado con HTML. • https://github.com/rails/rails/commit/35858f1d9d57f6c4050a8d9ab754bd5d088b4523 https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7 • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-26143 – Rails Possible XSS Vulnerability in Action Controller
https://notcve.org/view.php?id=CVE-2024-26143
Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in "_html", a :default key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. The vulnerability is fixed in 7.1.3.1 and 7.0.8.1. Rails es un framework de aplicación web. • https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947 https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc https://github.com/rails/rails/commit/5187a9ef51980ad1b8e81945ebe0462d28f84f9e https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26143.yml https://security.netapp.com/advisory/ntap-20240510-0004 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-26142 – Rails possible ReDoS vulnerability in Accept header parsing in Action Dispatch
https://notcve.org/view.php?id=CVE-2024-26142
Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails es un framework de aplicación web. • https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946 https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272 https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml https://security.netapp.com/advisory/ntap-20240503-0003 • CWE-1333: Inefficient Regular Expression Complexity •