-
-
Notifications
You must be signed in to change notification settings - Fork 220
/
Copy pathCVE-2020-8264.yml
36 lines (32 loc) · 1.21 KB
/
CVE-2020-8264.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
---
gem: actionpack
framework: rails
cve: 2020-8264
ghsa: 35mm-cc6r-8fjp
url: https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk
title: Possible XSS Vulnerability in Action Pack in Development Mode
date: 2020-10-07
description: |
There is a possible XSS vulnerability in Action Pack while the application
server is in development mode. This vulnerability is in the Actionable
Exceptions middleware. This vulnerability has been assigned the CVE
identifier CVE-2020-8264.
Versions Affected: >= 6.0.0
Not affected: < 6.0.0
Fixed Versions: 6.0.3.4
Impact
------
When an application is running in development mode, and attacker can send or
embed (in another page) a specially crafted URL which can allow the attacker
to execute JavaScript in the context of the local application.
Workarounds
-----------
Until such time as the patch can be applied, application developers should
disable the Actionable Exceptions middleware in their development environment via
a line such as this one in their config/environment/development.rb:
`config.middleware.delete ActionDispatch::ActionableExceptions`
cvss_v3: 6.1
unaffected_versions:
- "< 6.0.0"
patched_versions:
- ">= 6.0.3.4"