CVE-2023-30614

2023-04-1918:15:07

CWE-79

GitHub_M

web.nvd.nist.gov

pay

ruby on rails

payment engine

vulnerability

reflected cross-site scripting

cve-2023-30614

security advisory

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS

0.001

Percentile

36.1%

JSON

Pay is a payments engine for Ruby on Rails 6.0 and higher. In versions prior to 6.3.2 a payments info page of Pay is susceptible to reflected Cross-site scripting. An attacker could create a working URL that renders a javascript link to a user on a Rails application that integrates Pay. This URL could be distributed via email to specifically target certain individuals. If the targeted application contains a functionality to submit user-generated content (such as comments) the attacker could even distribute the URL using that functionality. This has been patched in version 6.3.2 and above. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected configurations

Nvd

Vulners

Node

pay_projectpayRange<6.3.2ruby

VendorProductVersionCPE
pay_projectpay*cpe:2.3:a:pay_project:pay:*:*:*:*:*:ruby:*:*

Vendor	Product	Version	CPE
pay_project	pay	*	cpe:2.3:a:pay_project:pay::::::ruby::*

CNA Affected

[
  {
    "vendor": "pay-rails",
    "product": "pay",
    "versions": [
      {
        "version": "< 6.3.2",
        "status": "affected"
      }
    ]
  }
]