CVSS: 7.5EPSS: 0%CPEs: 19EXPL: 1CVE-2021-41817 – ruby: Regular expression denial of service vulnerability of Date parsing methods
https://notcve.org/view.php?id=CVE-2021-41817
Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1. Date.parse en date gem versiones hasta 3.2.0 para Ruby, permite ReDoS (expresión regular de denegación de servicio) por medio de una cadena larga. Las versiones corregidas son 3.2.1, 3.1.2, 3.0.2 y 2.0.1. A flaw was found in ruby, where the date object was found to be vulnerable to a regular expression denial of service (ReDoS) during the parsing of dates. • https://hackerone.com/reports/1254844 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF https://security.gentoo.org/glsa/202401-27 https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817 https://access.redhat.com/security/cve/CVE-2021-41817 https://bugzilla.redhat.com/show_bug. • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-5169
https://notcve.org/view.php?id=CVE-2014-5169
Cross-site scripting (XSS) vulnerability in the Date module before 7.x-2.8 for Drupal allows remote authenticated users with the permission to create a date field to inject arbitrary web script or HTML via the date field title. Vulnerabilidad de XSS en el módulo Date anterior a 7.x-2.8 para Drupal permite a usuarios remotos autenticados con permiso para crear un campo de fecha inyectar secuencias de comandos web o HTML arbitrarios a través del título del campo de fecha. • http://www.openwall.com/lists/oss-security/2014/07/31/2 http://www.openwall.com/lists/oss-security/2014/07/31/4 http://www.securityfocus.com/bid/68974 https://www.drupal.org/node/2311887 https://www.drupal.org/node/2312609 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.0EPSS: 0%CPEs: 20EXPL: 0CVE-2012-1626
https://notcve.org/view.php?id=CVE-2012-1626
SQL injection vulnerability in the conversion form for Events in the Date module 6.x-2.x before 6.x-2.8 for Drupal allows remote authenticated users with the "administer Date Tools" privilege to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en formulario de conversión para Eventos en el módulo Fecha v6.x-2.x antes de v6.x-2.8 para Drupal permite ejecutar comandos SQL a usuarios remotos autenticados con el privilegio "administrar Fecha de Herramientas" a través de vectores no especificados. • http://drupal.org/node/1401026 http://drupal.org/node/1401434 http://osvdb.org/78261 http://secunia.com/advisories/47533 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.securityfocus.com/bid/51378 https://exchange.xforce.ibmcloud.com/vulnerabilities/72356 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 2.1EPSS: 0%CPEs: 16EXPL: 0CVE-2009-3156
https://notcve.org/view.php?id=CVE-2009-3156
Cross-site scripting (XSS) vulnerability in the Date Tools sub-module in the Date module 6.x before 6.x-2.3 for Drupal allows remote authenticated users, with "use date tools" or "administer content types" privileges, to inject arbitrary web script or HTML via a "Content type label" field. Vulnerabilidad de ejecución de secuencias de comandos de sitios cruzados (XSS) en el sub-modulo Date Tools del modulo Date v6.x anteriores a 6.x-2.3 para Drupal permite a usuarios remotos autenticados con privilegios de "use date tools" o "administer content types" inyectar secuencias de comandos web o HTML arbitrarios a través del campo "Content type label". • http://drupal.org/node/534332 http://drupal.org/node/534636 http://lampsecurity.org/drupal-date-xss-vulnerability http://secunia.com/advisories/36006 http://www.osvdb.org/56608 http://www.securityfocus.com/bid/35790 http://www.vupen.com/english/advisories/2009/2103 https://exchange.xforce.ibmcloud.com/vulnerabilities/52143 https://www.redhat.com/archives/fedora-package-announce/2009-July/msg01312.html https://www.redhat.com/archives/fedora-package-announce/2009-July/msg01339.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •