rubygems

965 tracked vulnerabilities.

CVE-2024-7106 MEDIUM
Spina CMS 2.18.0 - Cross-Site Request Forgery via /admin/media_folders
Jul 25, 2024
CVSS 4.3
EPSS 0.00
CVE-2024-39908 MEDIUM
REXML < 3.3.2 - Denial of Service via Malformed XML Parsing
Jul 16, 2024
CVSS 4.3
EPSS 0.01
CVE-2024-32469 HIGH
Decidim < 0.27.6 and 0.28.0.rc1-0.28.1 - Cross-Site Scripting via Pagination GET Parameter
Jul 10, 2024
CVSS 7.1
EPSS 0.00
CVE-2024-27095 MEDIUM
decidim < 0.27.6 - Cross-Site Scripting in Admin Panel
Jul 10, 2024
CVSS 5.4
EPSS 0.00
CVE-2024-27090 MEDIUM
Decidim < 0.27.6 - Unauthorized Data Exposure via Embedded Resource Slug Inference
Jul 10, 2024
CVSS 5.3
EPSS 0.00
CVE-2024-39308 MEDIUM
rails_admin < 2.3.0 and >=3.0.0.beta <3.1.3 - Cross-Site Scripting via List View HTML Title Attribute
Jul 08, 2024
CVSS 5.4
EPSS 0.01
CVE-2024-39316 MEDIUM
Rack 3.1.0-3.1.5 - Denial of Service via HTTP Accept Header Parsing
Jul 02, 2024
CVSS 6.5
EPSS 0.01
CVE-2024-32464 MEDIUM
Action Text <7.1.3.4,7.2.0.beta2 - XSS
Jun 04, 2024
CVSS 6.1
EPSS 0.00
CVE-2024-28103 MEDIUM
Rails 6.1.0-6.1.7.7 - Improper Input Validation in Permissions-Policy Header
Jun 04, 2024
CVSS 5.4
EPSS 0.01
CVE-2024-37031 MEDIUM
Rubygems Activeadmin < 3.2.2 - XSS
Jun 03, 2024
CVSS 6.1
EPSS 0.00
CVE-2024-35221 MEDIUM
rubygems.org - Remote Denial of Service via YAML Alias Bomb in Gem Metadata
May 29, 2024
CVSS 4.3
EPSS 0.00
CVE-2024-35231 HIGH
rack-contrib < 2.5.0 - Denial of Service via Unconstrained profiler_runs Parameter
May 27, 2024
CVSS 8.6
EPSS 0.01
CVE-2024-32978 MEDIUM
Kaminari 0.15.0-0.16.1 - Insecure File Permissions
May 27, 2024
CVSS 6.6
EPSS 0.01
CVE-2024-35176 MEDIUM
REXML < 3.2.7 - Denial of Service via Malformed XML Attribute
May 16, 2024
CVSS 5.3
EPSS 0.02
CVE-2024-27281 MEDIUM
RDoc <6.6.2 - Remote Code Execution
May 14, 2024
CVSS 4.5
EPSS 0.02
CVE-2024-27280 CRITICAL
StringIO < 3.0.1.1 - Buffer Overread via ungetbyte/ungetc Methods
May 14, 2024
CVSS 9.8
EPSS 0.02
CVE-2024-34341 MEDIUM
Trix < 2.1.1 - Stored Cross-Site Scripting via Pasting Malicious Markup
May 07, 2024
CVSS 5.4
EPSS 0.01
CVE-2024-32970 HIGH
Phlex < 1.9.3 - Cross-Site Scripting via Malicious HTML Attributes
Apr 30, 2024
CVSS 7.1
EPSS 0.01
CVE-2024-32887 MEDIUM
Sidekiq >=7.2.0 <7.2.4 - Reflected Cross-Site Scripting via substr Parameter
Apr 26, 2024
CVSS 5.5
EPSS 0.01
CVE-2024-32463 HIGH
Phlex 1.4.0-1.10.0 - Cross-Site Scripting via Whitespace Bypass in href Attribute
Apr 17, 2024
CVSS 7.1
EPSS 0.01
CVE-2024-29034 MEDIUM
CarrierWave < 2.2.6 and 3.0.0-3.0.7 - Cross-Site Scripting via Content-Type Header Bypass
Mar 24, 2024
CVSS 6.8
EPSS 0.00
CVE-2024-28862 MEDIUM
rotp 6.2.1-6.2.9 - Incorrect Default Permissions
Mar 16, 2024
CVSS 5.3
EPSS 0.00
CVE-2024-28181 HIGH
turboboost_commands < 0.1.3 - Improper Method Invocation Restriction
Mar 14, 2024
CVSS 8.1
EPSS 0.01
CVE-2024-28121 HIGH
Stimulus Reflex < 3.4.2/3.5.0.rc4 - Unsafe Reflex Method Invocation
Mar 12, 2024
CVSS 8.8
EPSS 0.02
CVE-2024-28199 HIGH
phlex < 1.0.1 and >=1.9.0 <1.9.1 - Cross-Site Scripting via Improper Case-Sensitivity Handling
Mar 11, 2024
CVSS 7.1
EPSS 0.01