CVE-2023-22797
https://notcve.org/view.php?id=CVE-2023-22797
An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could allow an attacker to bypass with a carefully crafted URL resulting in an open redirect vulnerability. • https://discuss.rubyonrails.org/t/cve-2023-22799-possible-redos-based-dos-vulnerability-in-globalid/82127 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2022-22577 – rubygem-actionpack: Possible cross-site scripting vulnerability in Action Pack
https://notcve.org/view.php?id=CVE-2022-22577
An XSS Vulnerability in Action Pack >= 5.2.0 and < 5.2.0 that could allow an attacker to bypass CSP for non HTML like responses. Una vulnerabilidad de tipo XSS en Action Pack versiones posteriores a 5.2.0 incluyéndola y versiones anteriores a 5.2.0, que podría permitir a un atacante omitir el CSP para conseguir respuestas que no sean HTML A flaw was found in rubygem-actionpack where CSP headers were sent with responses that Rails considered "HTML" responses. This flaw allows an attacker to leave API requests without CSP headers and perform a Cross-site scripting attack. • https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533 https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html https://security.netapp.com/advisory/ntap-20221118-0002 https://www.debian.org/security/2023/dsa-5372 https://access.redhat.com/security/cve/CVE-2022-22577 https://bugzilla.redhat.com/show_bug.cgi?id=2080302 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-27777 – tfm-rubygem-actionview: Possible cross-site scripting vulnerability in Action View tag helpers
https://notcve.org/view.php?id=CVE-2022-27777
A XSS Vulnerability in Action View tag helpers >= 5.2.0 and < 5.2.0 which would allow an attacker to inject content if able to control input into specific attributes. Una vulnerabilidad de tipo XSS en Action View tag helpers versiones posteriores a 5.2.0 incluyéndola y versiones anteriores a 5.2.0, que permitiría a un atacante inyectar contenido si es capaz de controlar la entrada en atributos específicos A flaw was found in rubygem-actionview when untrusted data such as the hash key for tag attributes are not properly escaped. This flaw allows an attacker to perform a Cross-site scripting attack. • https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534 https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html https://www.debian.org/security/2023/dsa-5372 https://access.redhat.com/security/cve/CVE-2022-27777 https://bugzilla.redhat.com/show_bug.cgi?id=2080296 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •