CVE-2022-27777 — Cross-site Scripting in Actionpack

CWE-79 — Cross-site Scripting7 documents6 sources

Severity

6.1MEDIUMNVD

EPSS

0.9%

top 24.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rubyonrails Rails Rubyonrails Actionpack Rails Actionview +2 more

Timeline

PublishedMay 26

Description

A XSS Vulnerability in Action View tag helpers >= 5.2.0 and < 5.2.0 which would allow an attacker to inject content if able to control input into specific attributes.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶RubyGemsrails/actionview6.0.0 — 6.0.4.8+3

▶NVDrubyonrails/actionpack6.0.0 — 6.0.4.8+3

▶Debianrubyonrails/rails< 2:6.0.3.7+dfsg-2+deb11u1+3

▶CVEListV5https/github.com_rails_rails7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1

Also affects: Debian Linux 10.0

Patches

Patch: discuss.rubyonrails.org ↗Patch: discuss.rubyonrails.org ↗

🔴Vulnerability Details

OSV

CVE-2022-27777: A XSS Vulnerability in Action View tag helpers >= 5↗2022-05-26

▶

CVEList

CVE-2022-27777: A XSS Vulnerability in Action View tag helpers >= 5↗2022-05-26

▶

GHSA

XSS Vulnerability in Action View tag helpers↗2022-04-27

▶

OSV

XSS Vulnerability in Action View tag helpers↗2022-04-27

▶

📋Vendor Advisories

Red Hat

tfm-rubygem-actionview: Possible cross-site scripting vulnerability in Action View tag helpers↗2022-04-27

▶

Debian

CVE-2022-27777: rails - A XSS Vulnerability in Action View tag helpers >= 5.2.0 and < 5.2.0 which would ...↗2022

▶