Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-26143

Опубликовано: 24 фев. 2024
Источник: redhat
CVSS3: 4.1

Описание

Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in "_html", a :default key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. The vulnerability is fixed in 7.1.3.1 and 7.0.8.1.

A vulnerability was found in actionpack ruby gem. Applications using the translate method may be susceptible to a cross-site scripting (XSS) attack.

Отчет

The following requirements need to be met in order for an application be vulnerable:

  • Use a translation function from a controller, such as not I18n.t, ort from a view
  • Use a key that ends in _html
  • Use a default value where the default value is untrusted and unescaped input
  • Send the text to the victim, whether that’s part of a template, or a render call

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat 3scale API Management Platform 23scale-amp-system-containerAffected
Red Hat Satellite 6rubygem-actionpackNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low
Дефект:
CWE-79
https://bugzilla.redhat.com/show_bug.cgi?id=2266388rubygem-actionpack: Possible XSS on translation helpers

4.1 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2024-26143

CVSS3: 6.1
ubuntu
больше 1 года назад

Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in "_html", a :default key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. The vulnerability is fixed in 7.1.3.1 and 7.0.8.1.

nvd логотип

CVE-2024-26143

CVSS3: 6.1
nvd
больше 1 года назад

Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in "_html", a :default key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. The vulnerability is fixed in 7.1.3.1 and 7.0.8.1.

debian логотип

CVE-2024-26143

CVSS3: 6.1
debian
больше 1 года назад

Rails is a web-application framework. There is a possible XSS vulnerab ...

github логотип

GHSA-9822-6m93-xqf4

CVSS3: 6.1
github
больше 1 года назад

Rails has possible XSS Vulnerability in Action Controller

fstec логотип

BDU:2024-06653

CVSS3: 6.1
fstec
больше 1 года назад

Уязвимость программной платформы Ruby on Rails, связанная с неправильной нейтрализацией входных данных во время генерации веб-страницы, позволяющая нарушителю проводить межсайтовый скриптинг

4.1 Medium

CVSS3