CVE-2020-8264
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. This vulnerability is in the Actionable Exceptions middleware.
En actionpack gem versiones posteriores a 6.0.0 incluyéndola, se presenta una posible vulnerabilidad de tipo XSS cuando una aplicación se ejecuta en modo development permitiendo a un atacante enviar o insertar (en otra página) una URL especialmente diseñada que puede permitir al atacante ejecutar JavaScript en el contexto de la aplicación local. Esta vulnerabilidad se encuentra en el middleware de Excepciones Accionables
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-01-28 CVE Reserved
- 2021-01-06 CVE Published
- 2023-09-22 EPSS Updated
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk/m/oJWw-xhNAQAJ | Mailing List |
| URL | Date | SRC |
|---|---|---|
| https://hackerone.com/reports/904059 | 2024-08-04 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | >= 6.0.0 < 6.0.3.4 Search vendor "Rubyonrails" for product "Rails" and version " >= 6.0.0 < 6.0.3.4" | - |
Affected
| ||||||