PT-2024-29664 · Unknown+1 · Ruby On Rails+1
Published
2024-08-01
·
Updated
2024-08-01
·
CVE-2024-41961
CVSS v3.1
9.6
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Elektra versions prior to the version containing commit 8bce00be93b95a6512ff68fe86bf9554e486bc02
Description
A code injection issue was discovered in the live search functionality of the Elektra web application, which is built on Ruby on Rails. This issue allows an authenticated user to craft a search term that contains Ruby code. The crafted search term flows into an
eval function, resulting in the execution of the injected code.Recommendations
For versions prior to the one containing commit 8bce00be93b95a6512ff68fe86bf9554e486bc02, update to a version that includes the fix from commit 8bce00be93b95a6512ff68fe86bf9554e486bc02 to resolve the issue. As a temporary workaround, consider restricting access to the live search functionality until the update can be applied.
Exploit
Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Elektra
Ruby On Rails