CVE-2020-36190
https://notcve.org/view.php?id=CVE-2020-36190
RailsAdmin (aka rails_admin) before 1.4.3 and 2.x before 2.0.2 allows XSS via nested forms. RailsAdmin (también se conoce como rails_admin) versiones anteriores a 1.4.3 y versiones 2.x anteriores a 2.0.2, permite un ataque de tipo XSS por medio de formularios anidados • https://github.com/sferik/rails_admin/blob/master/README.md https://github.com/sferik/rails_admin/commit/d72090ec6a07c3b9b7b48ab50f3d405f91ff4375 https://github.com/sferik/rails_admin/compare/v1.4.2...v1.4.3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-12098
https://notcve.org/view.php?id=CVE-2017-12098
An exploitable cross site scripting (XSS) vulnerability exists in the add filter functionality of the rails_admin rails gem version 1.2.0. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the victim's browser. An attacker can phish an authenticated user to trigger this vulnerability. Existe una vulnerabilidad de Cross-Site Scripting (XSS) explotable en la funcionalidad add filter de la gema de rails rails_admin en su versión 1.2.0. Una URL especialmente manipulada puede provocar un error de XSS, lo que lleva a que un atacante pueda ejecutar JavaScript arbitrario en el navegador de la víctima. • http://www.securityfocus.com/bid/102486 https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0450 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •