[CVE-2020-8264] Possible XSS Vulnerability in Action Pack in Development Mode

2981 views
Skip to first unread message

Aaron Patterson

unread,
Oct 7, 2020, 12:57:36 PM10/7/20
to ruby-sec...@googlegroups.com, rubyonrail...@googlegroups.com
There is a possible XSS vulnerability in Action Pack while the application
server is in development mode.  This vulnerability is in the Actionable
Exceptions middleware.  This vulnerability has been assigned the CVE
identifier CVE-2020-8264.

Versions Affected:  >= 6.0.0
Not affected:       < 6.0.0
Fixed Versions:     6.0.3.4

Impact
------
When an application is running in development mode, and attacker can send or
embed (in another page) a specially crafted URL which can allow the attacker
to execute JavaScript in the context of the local application.

Releases
--------
The FIXED releases are available at the normal locations.

Workarounds
-----------
Until such time as the patch can be applied, application developers should 
disable the Actionable Exceptions middleware in their development environment via 
a line such as this one in their config/environment/development.rb: 

config.middleware.delete ActionDispatch::ActionableExceptions 

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* 6-0-actionable-exceptions-xss.patch - Patch for 6.0 series

Please note that only the 6.0.x and 5.2.x series are supported at present. Users
of earlier unsupported releases are advised to upgrade as soon as possible as we
cannot guarantee the continued availability of security fixes for unsupported
releases.

Credits
-------

Thank you to https://hackerone.com/ooooooo_q for reporting this issue!


--
6-0-actionable-exceptions-xss.patch
Reply all
Reply to author
Forward
0 new messages