PT-2021-12714 · Rubygems · Action Pack

Published

2021-01-06

·

Updated

2024-06-15

·

CVE-2020-8264

CVSS v3.1

6.1

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions: actionpack gem versions 6.0.0 and later
Description: A possible XSS vulnerability exists in the Actionable Exceptions middleware when an application is running in development mode, allowing an attacker to execute JavaScript in the context of the local application by sending or embedding a specially crafted URL.
Recommendations: For actionpack gem versions 6.0.0 and later, disable the Actionable Exceptions middleware in the development environment by adding the line config.middleware.delete ActionDispatch::ActionableExceptions to the config/environment/development.rb file until a patch can be applied.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2020-8264
GHSA-35MM-CC6R-8FJP
OPENSUSE-SU-2024:11313-1
OPENSUSE-SU-2024:11314-1
OPENSUSE-SU-2024:11316-1
OPENSUSE-SU-2024:11318-1
OPENSUSE-SU-2024:11319-1
OPENSUSE-SU-2024:11321-1
OPENSUSE-SU-2024:11323-1
OPENSUSE-SU-2024:11325-1
OPENSUSE-SU-2024:11327-1
OPENSUSE-SU-2024:11329-1
OPENSUSE-SU-2024:11331-1
OPENSUSE-SU-2024:11348-1
OPENSUSE-SU-2024:11351-1
OPENSUSE-SU-2024:11818-1
OPENSUSE-SU-2024:11819-1
OPENSUSE-SU-2024:11820-1
OPENSUSE-SU-2024:11821-1
OPENSUSE-SU-2024:11822-1
OPENSUSE-SU-2024:11823-1
OPENSUSE-SU-2024:11824-1
OPENSUSE-SU-2024:11825-1
OPENSUSE-SU-2024:11826-1
OPENSUSE-SU-2024:11827-1
OPENSUSE-SU-2024:11828-1
OPENSUSE-SU-2024:11831-1
OPENSUSE-SU-2024:11832-1

Affected Products

Action Pack