exploitDog

GHSA-6jvm-3j5h-79f6

Опубликовано: 24 окт. 2017

Источник: github

Github: Прошло ревью

Описание

paperclip Cross-site Scripting vulnerability

The thoughtbot paperclip gem before 4.2.2 for Ruby does not consider the content-type value during media-type validation, which allows remote attackers to upload HTML documents and conduct cross-site scripting (XSS) attacks via a spoofed value, as demonstrated by image/jpeg.

Ссылки

Пакеты

Наименование

paperclip

rubygems

Затронутые версииВерсия исправления

< 4.2.2

4.2.2

EPSS

Процентиль: 65%

0.00481

Низкий

CVE ID

Дефекты

CWE-79

Связанные уязвимости

CVE-2015-2963

nvd

больше 10 лет назад

The thoughtbot paperclip gem before 4.2.2 for Ruby does not consider the content-type value during media-type validation, which allows remote attackers to upload HTML documents and conduct cross-site scripting (XSS) attacks via a spoofed value, as demonstrated by image/jpeg.

EPSS

Процентиль: 65%

0.00481

Низкий

CVE ID

Дефекты

CWE-79