rubygems

954 tracked vulnerabilities.

CVE-2024-35231 HIGH
rack-contrib < 2.5.0 - Denial of Service via Unconstrained profiler_runs Parameter
May 27, 2024
CVSS 8.6
EPSS 0.00
CVE-2024-32978 MEDIUM
Kaminari 0.15.0-0.16.1 - Insecure File Permissions
May 27, 2024
CVSS 6.6
EPSS 0.00
CVE-2024-35176 MEDIUM
REXML < 3.2.7 - Denial of Service via Malformed XML Attribute
May 16, 2024
CVSS 5.3
EPSS 0.06
CVE-2024-27281 MEDIUM
RDoc <6.6.2 - Remote Code Execution
May 14, 2024
CVSS 4.5
EPSS 0.02
CVE-2024-27280 CRITICAL
StringIO < 3.0.1.1 - Buffer Overread via ungetbyte/ungetc Methods
May 14, 2024
CVSS 9.8
EPSS 0.07
CVE-2024-34341 MEDIUM
Trix < 2.1.1 - Stored Cross-Site Scripting via Pasting Malicious Markup
May 07, 2024
CVSS 5.4
EPSS 0.00
CVE-2024-32970 HIGH
Phlex < 1.9.3 - Cross-Site Scripting via Malicious HTML Attributes
Apr 30, 2024
CVSS 7.1
EPSS 0.00
CVE-2024-32887 MEDIUM
Sidekiq >=7.2.0 <7.2.4 - Reflected Cross-Site Scripting via substr Parameter
Apr 26, 2024
CVSS 5.5
EPSS 0.00
CVE-2024-32463 HIGH
Phlex 1.4.0-1.10.0 - Cross-Site Scripting via Whitespace Bypass in href Attribute
Apr 17, 2024
CVSS 7.1
EPSS 0.00
CVE-2024-29034 MEDIUM
CarrierWave < 2.2.6 and 3.0.0-3.0.7 - Cross-Site Scripting via Content-Type Header Bypass
Mar 24, 2024
CVSS 6.8
EPSS 0.00
CVE-2024-28862 MEDIUM
rotp 6.2.1-6.2.9 - Incorrect Default Permissions
Mar 16, 2024
CVSS 5.3
EPSS 0.00
CVE-2024-28181 HIGH
turboboost_commands < 0.1.3 - Improper Method Invocation Restriction
Mar 14, 2024
CVSS 8.1
EPSS 0.01
CVE-2024-28121 HIGH
Stimulus Reflex < 3.4.2/3.5.0.rc4 - Unsafe Reflex Method Invocation
Mar 12, 2024
CVSS 8.8
EPSS 0.01
CVE-2024-28199 HIGH
phlex < 1.0.1 and >=1.9.0 <1.9.1 - Cross-Site Scripting via Improper Case-Sensitivity Handling
Mar 11, 2024
CVSS 7.1
EPSS 0.02
CVE-2024-26146 MEDIUM
Rack 0.4-2.0.9.3, 3.0.0-3.0.9.0 - Denial of Service via Header Parsing
Feb 29, 2024
CVSS 5.3
EPSS 0.01
CVE-2024-26141 MEDIUM
Rack 1.3.0-2.2.8.0 and 3.0.0-3.0.9.0 - Denial of Service via Range Header
Feb 29, 2024
CVSS 5.8
EPSS 0.00
CVE-2024-25126 MEDIUM
Rack 0.4-2.2.8.1 and 3.0.0-3.0.9.1 - Denial of Service via Content-Type Header Parsing
Feb 29, 2024
CVSS 5.3
EPSS 0.00
CVE-2024-27285 MEDIUM
yard < 0.9.36 - Cross-Site Scripting in frames.erb Template
Feb 28, 2024
CVSS 5.4
EPSS 0.03
CVE-2024-26144 MEDIUM
Rails 5.2.0-6.1.7.6 - Sensitive Session Information Leak via Active Storage Blob Set-Cookie Header
Feb 27, 2024
CVSS 5.3
EPSS 0.04
CVE-2024-26143 MEDIUM
Rails 7.0.0-7.0.8.1 - Cross-Site Scripting via Translation Helper Default Key
Feb 27, 2024
CVSS 6.1
EPSS 0.02
CVE-2024-26142 HIGH
Rails 7.1.0-7.1.3 - Denial of Service via Accept Header Parsing ReDoS
Feb 27, 2024
CVSS 7.5
EPSS 0.04
CVE-2024-27456 CRITICAL
Rack CORS Middleware <2.0.1 - Info Disclosure
Feb 26, 2024
CVSS 9.1
EPSS 0.00
CVE-2024-25122 HIGH
sidekiq-unique-jobs - Stored Cross-Site Scripting in Admin Web UI
Feb 13, 2024
CVSS 7.1
EPSS 0.00
CVE-2024-22411 MEDIUM
Avo < 2.47.0 and 3.0.0.beta1-3.3.0 - Stored Cross-Site Scripting via Action Toast Notification
Jan 16, 2024
CVSS 6.5
EPSS 0.06
CVE-2024-22191 HIGH
Avo < 2.47.0 and >=3.0.0.beta1 <3.2.4 - Stored Cross-Site Scripting in Key Value Field
Jan 16, 2024
CVSS 7.3
EPSS 0.01
Products
actionpack 63 rack 50 nokogiri 34 rubygems 25 rubygems-update 25 activerecord 23 puppet 23 activesupport 17 publify_core 15 passenger 14 rails-html-sanitizer 14 actionview 13 decidim 12 puma 12 camaleon_cms 11 fat_free_crm 11 rails 11 activestorage 10 ruby-saml 10 jquery-rails 9 openc3 8 rexml 8 bootstrap 7 bootstrap-sass 7 jquery-ui-rails 7 katello 7 lodash-rails 7 net-imap 7 spree 7 avo 6
Quick Filters
Critical CVEs With Exploits In CISA KEV