CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2018-16471
https://notcve.org/view.php?id=CVE-2018-16471
There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to 'http' or 'https' and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable. Hay una posible vulnerabilidad Cross-Site Scripting (XSS) en Rack en versiones anteriores a la 2.0.6 y la 1.6.11. • http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00032.html http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00016.html https://groups.google.com/forum/#%21topic/rubyonrails-security/GKsAFT924Ag https://lists.debian.org/debian-lts-announce/2018/11/msg00022.html https://usn.ubuntu.com/4089-1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 6%CPEs: 7EXPL: 0CVE-2015-3225 – rubygem-rack: Potential Denial of Service Vulnerability in Rack normalize_params()
https://notcve.org/view.php?id=CVE-2015-3225
lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth. Vulnerabilidad en lib/rack/utils.rb en Rack en versiones anteriores a 1.5.4 y 1.6.x anteriores a 1.6.2, tal como se utiliza con Ruby on Rails en versiones 3.x y 4.x y en otros productos, permite a atacantes remotos provocar una denegación de servicio (SystemStackError) a través de una solicitud con un parámetro de gran tamaño. A flaw was found in a way Rack processed parameters of incoming requests. An attacker could use this flaw to send a crafted request that would cause an application using Rack to crash. • http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164173.html http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165180.html http://lists.opensuse.org/opensuse-updates/2015-07/msg00040.html http://lists.opensuse.org/opensuse-updates/2015-07/msg00043.html http://lists.opensuse.org/opensuse-updates/2015-07/msg00044.html http://openwall.com/lists/oss-security/2015/06/16/14 http://rhn.redhat.com/errata/RHSA-2015-2290.html http://www.debian.org/security&#x • CWE-19: Data Processing Errors CWE-400: Uncontrolled Resource Consumption •