CVE-2024-39308

RailsAdmin is a Rails engine that provides an interface for managing data. RailsAdmin list view has the XSS vulnerability, caused by improperly-escaped HTML title attribute. Upgrade to 3.1.3 or 2.2.2 (to be released).
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:rails_admin_project:rails_admin:*:*:*:*:*:ruby:*:*
cpe:2.3:a:rails_admin_project:rails_admin:*:*:*:*:*:ruby:*:*

History

22 Aug 2024, 14:22

Type Values Removed Values Added
CPE cpe:2.3:a:rails_admin_project:rails_admin:*:*:*:*:*:ruby:*:*
Summary
  • (es) RailsAdmin es un motor Rails que proporciona una interfaz para gestionar datos. La vista de lista RailsAdmin tiene la vulnerabilidad XSS, causada por un atributo de título HTML con escape incorrecto. Actualice a 3.1.3 o 2.2.2 (por publicarse).
First Time Rails Admin Project rails Admin
Rails Admin Project
CVSS v2 : unknown
v3 : 6.8
v2 : unknown
v3 : 5.4
References () https://github.com/railsadminteam/rails_admin/commit/b5a287d82e2cbd1737a1a01e11ede2911cce7fef - () https://github.com/railsadminteam/rails_admin/commit/b5a287d82e2cbd1737a1a01e11ede2911cce7fef - Patch
References () https://github.com/railsadminteam/rails_admin/commit/d84b39884059c4ed50197cec8522cca029a17673 - () https://github.com/railsadminteam/rails_admin/commit/d84b39884059c4ed50197cec8522cca029a17673 - Patch
References () https://github.com/railsadminteam/rails_admin/issues/3686 - () https://github.com/railsadminteam/rails_admin/issues/3686 - Issue Tracking
References () https://github.com/railsadminteam/rails_admin/security/advisories/GHSA-8qgm-g2vv-vwvc - () https://github.com/railsadminteam/rails_admin/security/advisories/GHSA-8qgm-g2vv-vwvc - Vendor Advisory
References () https://rubygems.org/gems/rails_admin/versions/2.3.0 - () https://rubygems.org/gems/rails_admin/versions/2.3.0 - Patch
References () https://rubygems.org/gems/rails_admin/versions/3.1.3 - () https://rubygems.org/gems/rails_admin/versions/3.1.3 - Patch

08 Jul 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-08 15:15

Updated : 2024-08-22 14:22


NVD link : CVE-2024-39308

Mitre link : CVE-2024-39308

CVE.ORG link : CVE-2024-39308


JSON object : View

Products Affected

rails_admin_project

  • rails_admin
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')