CVE-2022-3704 — Improper Neutralization in Project Actionpack

CWE-707 — Improper Neutralization CWE-79 — Cross-site Scripting7 documents6 sources

Severity

5.4MEDIUMNVD

CNA3.5

EPSS

0.3%

top 49.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Actionpack Project Actionpack

Timeline

PublishedOct 26

Latest updateOct 27

Description

A vulnerability classified as problematic has been found in Ruby on Rails. This affects an unknown part of the file actionpack/lib/action_dispatch/middleware/templates/routes/_table.html.erb. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The real existence of this vulnerability is still doubted at the moment. The name of the patch is be177e4566747b73ff63fd5f529fab564e475ed4. It is recommended to apply a patch to fix this issue. The associated ide…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages1 packages

▶RubyGemsactionpack_project/actionpack7.0.4

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Cross-site Scripting in actionpack↗2022-10-27

▶

OSV

CVE-2022-3704: A vulnerability classified as problematic has been found in Ruby on Rails↗2022-10-26

▶

OSV

CVE-2022-3704: ** DISPUTED ** A vulnerability classified as problematic has been found in Ruby on Rails↗2022-10-26

▶

CVEList

Ruby on Rails _table.html.erb cross site scripting↗2022-10-26

▶

📋Vendor Advisories

Red Hat

rubygem-rails: XSS within Route Error Page↗2022-10-14

▶

Debian

CVE-2022-3704: rails - A vulnerability classified as problematic has been found in Ruby on Rails. This ...↗2022

▶