CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2023-28120 – rubygem-activesupport: Possible XSS in SafeBuffer#bytesplice
https://notcve.org/view.php?id=CVE-2023-28120
17 Apr 2023 — There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input. A Cross-Site-Scripting vulnerability was found in rubygem ActiveSupport. If the new bytesplice method is called on a SafeBuffer with untrusted user input, malicious code could be executed. Two vulnerabilities were discovered in rails, the Ruby based server-side MVC web application framework, which could lead to XSS and DOM based cross-site scripting (CRS). This update also fixes a regr... • https://discuss.rubyonrails.org/t/cve-2023-28120-possible-xss-security-vulnerability-in-safebuffer-bytesplice/82469 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 1%CPEs: 2EXPL: 0CVE-2023-22796 – rubygem-activesupport: Regular Expression Denial of Service
https://notcve.org/view.php?id=CVE-2023-22796
09 Feb 2023 — A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability. A flaw was found in rubygem-activesupport. RubyGem's activesupport gem is vulnerable to a denial of service caused by a regular expression denial of service (ReDoS) flaw in... • https://discuss.rubyonrails.org/t/cve-2023-22796-possible-redos-based-dos-vulnerability-in-active-supports-underscore/82116 • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •