CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 1CVE-2018-16476 – activejob: Information Exposure through deserialization using GlobalId
https://notcve.org/view.php?id=CVE-2018-16476
30 Nov 2018 — A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. This vulnerability has been fixed in versions 4.2.11, 5.0.7.1, 5.1.6.1, and 5.2.1.1. Una vulnerabilidad del Control de acceso roto en las versiones de Trabajo activo> = versión 4.2.0 permite a un atacante crear una entrada de usuario que puede hacer que el Trabajo activo lo deser... • https://access.redhat.com/errata/RHSA-2019:0600 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-284: Improper Access Control CWE-502: Deserialization of Untrusted Data •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16477
https://notcve.org/view.php?id=CVE-2018-16477
30 Nov 2018 — A bypass vulnerability in Active Storage >= 5.2.0 for Google Cloud Storage and Disk services allow an attacker to modify the `content-disposition` and `content-type` parameters which can be used in with HTML files and have them executed inline. Additionally, if combined with other techniques such as cookie bombing and specially crafted AppCache manifests, an attacker can gain access to private signed URLs within a specific storage path. This vulnerability has been fixed in version 5.2.1.1. Una vulnerabilida... • https://groups.google.com/d/msg/rubyonrails-security/3KQRnXDIuLg/mByx5KkqBAAJ • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •