GHSA-phmw-pv3f-vvx7

Опубликовано: 13 авг. 2018

Источник: github

Github: Прошло ревью

Описание

Moderate severity vulnerability that affects paperclip

Withdrawn, accidental duplicate publish.

The thoughtbot paperclip gem before 4.2.2 for Ruby does not consider the content-type value during media-type validation, which allows remote attackers to upload HTML documents and conduct cross-site scripting (XSS) attacks via a spoofed value, as demonstrated by image/jpeg.

Ссылки

https://nvd.nist.gov/vuln/detail/CVE-2015-2963
https://github.com/advisories/GHSA-phmw-pv3f-vvx7

Пакеты

Наименование

paperclip

rubygems

Затронутые версииВерсия исправления

< 4.2.2

4.2.2