CVE-2020-8264 — Cross-site Scripting in Project Actionpack

CWE-79 — Cross-site Scripting8 documents7 sources

Severity

6.1MEDIUMNVD

EPSS

0.3%

top 42.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rubyonrails Rails Actionpack Project Actionpack Https Github.com Rails Rails

Timeline

PublishedJan 6

Latest updateApr 7

Description

In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. This vulnerability is in the Actionable Exceptions middleware.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶RubyGemsactionpack_project/actionpack6.0.0 — 6.0.3.4

▶NVDrubyonrails/rails6.0.0 — 6.0.3.4

▶Debianrubyonrails/rails< 2:6.0.3.4+dfsg-1+3

▶CVEListV5https/github.com_rails_rails6.0.3.4

Patches

Patch: hackerone.com ↗Patch: hackerone.com ↗

🔴Vulnerability Details

OSV

Cross-site scripting in actionpack↗2021-04-07

▶

GHSA

Cross-site scripting in actionpack↗2021-04-07

▶

OSV

CVE-2020-8264: In actionpack gem >= 6↗2021-01-06

▶

CVEList

CVE-2020-8264: In actionpack gem >= 6↗2021-01-06

▶

📋Vendor Advisories

Red Hat

rubygem-actionpack: possible XSS vulnerability in Action Pack in development mode↗2020-10-07

▶

Debian

CVE-2020-8264: rails - In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an applicat...↗2020

▶

💬Community

Bugzilla

CVE-2020-8264 rubygem-actionpack: possible XSS vulnerability in Action Pack in development mode↗2020-10-08

▶