Your submission was sent successfully! Close

CVE-2020-8264

Published: 6 January 2021

In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. This vulnerability is in the Actionable Exceptions middleware.

Priority

Medium

CVSS 3 base score: 6.1

Status

Package Release Status
rails
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
focal Not vulnerable
(code not present)
precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Not vulnerable
(code not present)
rails-4.0
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

ruby-actionpack-3.2
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

ruby-activemodel-3.2
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

ruby-activerecord-3.2
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

ruby-activesupport-3.2
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

ruby-rails-3.2
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

Notes

AuthorNote
seth-arnold
In Oneiric-Saucy, rails package is just for transition;
The rails package contains actual code from vivid onward
ebarretto
Only affects rails >= 6.0.0

References

Bugs