CVE-2020-8264

Опубликовано: 07 окт. 2020

Источник: redhat

CVSS3: 7.7

Описание

In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. This vulnerability is in the Actionable Exceptions middleware.

A flaw was found in rubygem-actionpack. A XSS vulnerability in Action Pack's Actionable Exceptions middleware while the application server is in development mode is possible. The highest threat from this vulnerability is to data confidentiality and integrity.

Отчет

Red Hat products ships rubygem-actionpack, however, those are supposed to be run in production mode. This issue only impacts development mode, therefore mentioned products are not affected by this flaw.

Затронутые пакеты

Платформа	Пакет	Состояние
CloudForms Management Engine 5	cfme-amazon-smartstate	Not affected
CloudForms Management Engine 5	cfme-gemset	Not affected
Red Hat Satellite 6	tfm-ror52-rubygem-rails	Not affected
Red Hat Satellite 6	tfm-rubygem-actionpack	Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-79

https://bugzilla.redhat.com/show_bug.cgi?id=1886554rubygem-actionpack: possible XSS vulnerability in Action Pack in development mode

7.7 High

CVSS3

Связанные уязвимости

CVE-2020-8264

CVSS3: 6.1

ubuntu

около 5 лет назад

CVE-2020-8264

CVSS3: 6.1

nvd

около 5 лет назад

CVE-2020-8264

CVSS3: 6.1

debian

около 5 лет назад

In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when a ...

GHSA-35mm-cc6r-8fjp

CVSS3: 6.1

github

почти 5 лет назад

Cross-site scripting in actionpack

7.7 High

CVSS3