CVE-2024-37031

MEDIUM

Rubygems Activeadmin < 3.2.2 - XSS

Title source: rule

Description

The Active Admin (aka activeadmin) framework before 3.2.2 for Ruby on Rails allows stored XSS in certain situations where users can create entities (to be later edited in forms) with arbitrary names, aka a "dynamic form legends" issue. 4.0.0.beta7 is also a fixed version.

References (3)

Core 3

Core References

Various Sources

https://rubygems.org/gems/activeadmin/versions/3.2.2

Vendor Advisory

https://github.com/activeadmin/activeadmin/security/advisories/GHSA-9mg6-x45v-hcfm

Release Notes

https://github.com/activeadmin/activeadmin/releases/tag/v3.2.2

Scores

CVSS v3 6.1

EPSS 0.0023

EPSS Percentile 45.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

rubygems/activeadmin 0 - 3.2.2RubyGems

Published Jun 03, 2024

Tracked Since Feb 18, 2026