Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05Y2hyLTRmamgtNXJnd84AAvjh
Cross-site Scripting in actionpack
actionpack from the Ruby on Rails project is vulnerable to Cross-site Scripting in the Route Error Page. This issue has been patched with this commit.
This vulnerability is disputed by the Rails security team. It requires that the developer is tricked into copy pasting a malicious javascript-containing string into a development-only error page accessible only via localhost.
Permalink: https://github.com/advisories/GHSA-9chr-4fjh-5rgwJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05Y2hyLTRmamgtNXJnd84AAvjh
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 1 year ago
Updated: 30 days ago Widthdrawn: about 1 year ago
CVSS Score: 3.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Identifiers: GHSA-9chr-4fjh-5rgw, CVE-2022-3704
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-3704
- https://github.com/rails/rails/commit/be177e4566747b73ff63fd5f529fab564e475ed4
- https://vuldb.com/?id.212319
- https://github.com/rails/rails/pull/46269
- https://github.com/rails/rails/issues/46244#issuecomment-1380875153
- https://github.com/rails/rails/issues/46244
- https://github.com/advisories/GHSA-9chr-4fjh-5rgw
Blast Radius: 20.8
Affected Packages
rubygems:actionpack
Dependent packages: 1,669Dependent repositories: 876,080
Downloads: 530,033,378 total
Affected Version Ranges: <= 7.0.4
No known fixed version
All affected versions: 0.9.0, 0.9.5, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.9.1, 1.10.1, 1.10.2, 1.11.0, 1.11.1, 1.11.2, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.13.5, 1.13.6, 2.0.0, 2.0.1, 2.0.2, 2.0.4, 2.0.5, 2.1.0, 2.1.1, 2.1.2, 2.2.2, 2.2.3, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.3.11, 2.3.12, 2.3.14, 2.3.15, 2.3.16, 2.3.17, 2.3.18, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.15, 3.0.16, 3.0.17, 3.0.18, 3.0.19, 3.0.20, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.2.12, 3.2.13, 3.2.14, 3.2.15, 3.2.16, 3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.1.9, 4.1.10, 4.1.11, 4.1.12, 4.1.13, 4.1.14, 4.1.15, 4.1.16, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4