Defect #38875
openAdditional vulnerabilities reported for v.5.0.5
0%
Description
In version 5.0.5:
```
Name: actionpack
Version: 6.1.7.2
CVE: CVE-2023-28362
GHSA: GHSA-4g8v-vg43-wpgf
Criticality: Unknown
URL: https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132
Title: Possible XSS via User Supplied Values to redirect_to
Solution: upgrade to '~> 6.1.7.4', '>= 7.0.5.1'
Name: actionview
Version: 6.1.7.2
CVE: CVE-2023-23913
GHSA: GHSA-xp5h-f8jf-rc8q
Criticality: High
URL: https://discuss.rubyonrails.org/t/cve-2023-23913-dom-based-cross-site-scripting-in-rails-ujs-for-contenteditable-html-elements/82468
Title: DOM Based Cross-site Scripting in rails-ujs for contenteditable HTML Elements
Solution: upgrade to '~> 6.1.7.3', '>= 7.0.4.3'
Name: commonmarker
Version: 0.23.8
GHSA: GHSA-48wp-p9qv-4j64
Criticality: High
URL: https://github.com/gjtorikian/commonmarker/releases/tag/v0.23.9
Title: Commonmarker vulnerable to to several quadratic complexity bugs that may lead to denial of service
Solution: upgrade to '>= 0.23.9'
Name: rack
Version: 2.2.6.3
CVE: CVE-2023-27539
GHSA: GHSA-c6qg-cjj8-47qp
Criticality: Unknown
URL: https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466
Title: Possible Denial of Service Vulnerability in Rack’s header parsing
Solution: upgrade to '~> 2.0, >= 2.2.6.4', '>= 3.0.6.1'
Name: sanitize
Version: 6.0.1
CVE: CVE-2023-36823
GHSA: GHSA-f5ww-cq3m-q3g7
Criticality: High
URL: https://github.com/rgrove/sanitize/releases/tag/v6.0.2
Title: Sanitize vulnerable to Cross-site Scripting via insufficient neutralization of `style` element content
Solution: upgrade to '>= 6.0.2'
```
Related issues
Updated by Go MAEDA 4 months ago
- Related to Patch #38374: Update Rails to 6.1.7.6 added
Updated by Mischa The Evil about 1 month ago
- Affected version changed from 5.0.4 to 5.0.5
Updated by Marius BALTEANU about 1 month ago
- Status changed from New to Needs feedback
Can you rerun the security tests on 5.0.6?