Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-3704: ¬ XSS within Route Error Page · Issue #46244 · rails/rails

A vulnerability classified as problematic has been found in Ruby on Rails. This affects an unknown part of the file actionpack/lib/action_dispatch/middleware/templates/routes/_table.html.erb. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The name of the patch is be177e4566747b73ff63fd5f529fab564e475ed4. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-212319.

CVE
#xss#vulnerability#web#ruby

After highlighting this issue to the Rails team via Hacker1, I was informed that this bug should be highlighted here upstream.
Whilst the issue is nothing critical, it is after all more of a self XSS, the ability to inject XSS attacks within the Rails framework is concerning. At a later date a vulnerability may be discovered that could leverage this issue or the code within this page could be reused elsewhere creating another attack vector that could be triggered by an attacker.
I am not an expert in Ruby or Rails and when I found this issue on a penetration test for a client, we discovered it was not an issue with the web application but one within Rails itself. The screenshot attached is therefore redacted of client identification.

Steps to reproduce

Request a page that does not have a matching routing to produce the Routing Error page.

Expected behavior

Expected behaviour is a error page with resources to help navigate the issue.

Actual behavior

Within the search box for Path, it is possible to create a XSS injection.

System configuration

Rails version:
No information on version from client
Ruby version:
No information on version from client.

Related news

GHSA-9chr-4fjh-5rgw: Cross-site Scripting in actionpack

actionpack from the Ruby on Rails project is vulnerable to Cross-site Scripting in the Route Error Page. This issue has been patched with this [commit](https://github.com/rails/rails/commit/be177e4566747b73ff63fd5f529fab564e475ed4). There are no known workarounds for this issue.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907