Lucene search

Veracode Vulnerability DatabaseVERACODE:47380

HistoryJun 06, 2024 - 4:27 a.m.

Cross-site Scripting(XSS)

2024-06-0604:27:53

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cross-site scripting

actiontext

html

vulnerability

unsanitized

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.2 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.0%

JSON

actiontext is vulnerable to Cross-site Scripting (XSS). The vulnerability is due to the lack of sanitization of HTML content within instances of ActionText::Attachable::ContentAttachment included in a rich_text_area tag, which results in unsanitized HTML rendering.

CPENameOperatorVersion
actiontexteq7.2.0.beta1
actiontextle7.1.3.3
actiontexteq7.2.0.beta1
actiontextle7.1.3.3

Name	Operator	Version
actiontext	eq	7.2.0.beta1
actiontext	le	7.1.3.3
actiontext	eq	7.2.0.beta1
actiontext	le	7.1.3.3

References

github.com/rails/rails/commit/72a5225a788c88c39667e8840a1eae037d224621

github.com/rails/rails/commit/e215bf3360e6dfe1497c1503a495e384ed6b0995

github.com/rails/rails/security/advisories/GHSA-prjp-h48f-jgf6

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.2 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.0%

JSON

Related for VERACODE:47380