Page 6 of 86 results (0.030 seconds)

CVSS: 6.1EPSS: 0%CPEs: 29EXPL: 0

Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes. Vulnerabilidad de XSS en la gema rails-html-sanitizer en versiones anteriores a 1.0.3 para Ruby on Rails 4.2.x y 5.x permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de atributos de etiqueta manipulados. • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html http://www.openwall.com/lists/oss-security/2016/01/25/11 http://www.securitytracker.com/id/1034816 https://git • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 29EXPL: 0

Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node. Vulnerabilidad de XSS en lib/rails/html/scrubbers.rb en la gema rails-html-sanitizer en versiones anteriores a 1.0.3 para Ruby on Rails 4.2.x y 5.x permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un nodo CDATA manipulado. • http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html http://www.openwall.com/lists/oss-security/2016/01/25/15 http://www.securitytracker.com/id/1034816 https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78 https://groups.google.com/forum/message/raw?msg=rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 29EXPL: 0

Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class. Vulnerabilidad de XSS in la gema rails-html-sanitizer 1.0.2 para Ruby on Rails 4.2.x y 5.x permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de una entidad HTML que no es manejada adecuadamente por la clase Rails::Html::FullSanitizer. • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html http://www.openwall.com/lists/oss-security/2016/01/25/12 http://www.securitytracker.com/id/1034816 https://git • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 1%CPEs: 86EXPL: 0

The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences. El método http_basic_authenticate_with en actionpack/lib/action_controller/metal/http_authentication.rb en la implementación Basic Authentication en Action Controller en Ruby on Rails en versiones anteriores a 3.2.22.1, 4.0.x y 4.1.x en versiones anteriores a 4.1.14.1, 4.2.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 no usa el algoritmo de tiempo constante para verificar credenciales, lo que hace que sea más fácil para atacantes remotos eludir la autenticación mediante la medición de las diferencias de temporización. A flaw was found in the way the Action Controller component compared user names and passwords when performing HTTP basic authentication. Time taken to compare strings could differ depending on input, possibly allowing a remote attacker to determine valid user names and passwords using a timing attack. • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html http://lists.opensuse.org/opensuse-updates/201 • CWE-254: 7PK - Security Features CWE-385: Covert Timing Channel •

CVSS: 7.5EPSS: 2%CPEs: 41EXPL: 0

actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows remote attackers to cause a denial of service (superfluous caching and memory consumption) by leveraging an application's use of a wildcard controller route. actionpack/lib/action_dispatch/routing/route_set.rb en Action Pack en Ruby on Rails 4.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 permite a atacantes remotos causar una denegación de servicio (almacenamiento en caché superfluo y consumo de memoria) aprovechando el uso de una ruta de controlador comodín por una aplicación. A flaw was found in the Action Pack component's caching of controller references. An attacker could use this flaw to cause unbounded memory growth, potentially resulting in a denial of service. • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html http://rhn.redhat.com/errata/RHSA-2016-0296.html http://www.debian.org/security/2016/dsa-3464 http://www.openwall.com/lists/oss-security/2016/01/25/16 http://www.securityfocus.com/bid&#x • CWE-399: Resource Management Errors CWE-770: Allocation of Resources Without Limits or Throttling •