Possible XSS vulnerability in ActionView
CVE-2020-5267

4MEDIUM

Key Information:

Vendor

Rails

Status
Actionview
Vendor
CVE Published:
19 March 2020

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2020-5267?

In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible XSS vulnerability in ActionView's JavaScript literal escape helpers. Views that use the j or escape_javascript methods may be susceptible to XSS attacks. The issue is fixed in versions 6.0.2.2 and 5.2.4.2.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

actionview < 5.2.4.2 < 5.2.4.2

actionview >= 6.0.0, < 6.0.2.2 < 6.0.0, 6.0.2.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

legacy-rails-CVE-2020-5267-patch
Created by GUI

References

https://github.com/rails/rails/security/advisories/GHSA-6...
x_refsource_CONFIRM
https://github.com/rails/rails/commit/033a738817abd6e446e...
x_refsource_MISC
http://www.openwall.com/lists/oss-security/2020/03/19/1
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

JSON
.