Undergoing Analysis
CVE is currently being analyzed by NVD staff, this process results in association of reference link tags, CVSS scores, CWE association, and CPE applicability statements.

Products

RailsAdmin

3.1.3

2.2.2

Source

security-advisories@github.com

CVE-2024-39308 details

Published : July 8, 2024, 3:15 p.m.
Last Modified : July 8, 2024, 3:49 p.m.

Description

RailsAdmin is a Rails engine that provides an interface for managing data. RailsAdmin list view has the XSS vulnerability, caused by improperly-escaped HTML title attribute. Upgrade to 3.1.3 or 2.2.2 (to be released).

CVSS Score

1	2	3	4	5	6.8	7	8	9	10

Weakness

Weakness	Name	Description
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

Base Score

6.8

Exploitability Score

2.3

Impact Score

4.0

Base Severity

MEDIUM

Vector String : CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

References

URL	Source
https://github.com/railsadminteam/rails_admin/commit/b5a287d82e2cbd1737a1a01e11ede2911cce7fef	security-advisories@github.com
https://github.com/railsadminteam/rails_admin/commit/d84b39884059c4ed50197cec8522cca029a17673	security-advisories@github.com
https://github.com/railsadminteam/rails_admin/issues/3686	security-advisories@github.com
https://github.com/railsadminteam/rails_admin/security/advisories/GHSA-8qgm-g2vv-vwvc	security-advisories@github.com
https://rubygems.org/gems/rails_admin/versions/2.3.0	security-advisories@github.com
https://rubygems.org/gems/rails_admin/versions/3.1.3	security-advisories@github.com

This website uses the NVD API, but is not approved or certified by it.

CVE-2024-39308