VDB
CVE-2020-8264
CVE-2020-8264
PUBLISHED
CVSS 6.099999904632568 MEDIUM
Une vulnérabilité a été découverte dans Ruby on Rails. Elle permet à un attaquant de provoquer une injection de code indirecte à distance (XSS).
EPSS 2.05% · 84.2th percentile
Risk Scores
CVSS 3.1
6.099999904632568
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score
2.05%
84.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | https://github.com/rails/rails | 6.0.3.4 |
| RubyGems | actionpack | 6.0.0 |
| rubyonrails | rails | 6.0.0 |
Exploit Intelligence
- CIRCL seen: CVE-2020-8264 (circl-sighting)
- https://hackerone.com/reports/904059 (circl)
- https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk/m/oJWw-xhNAQAJ (circl)
- Open Redirect (6.0.0 < rails < 6.0.3.2) (hackerone)
- Open Redirect (6.0.0 < rails < 6.0.3.2) (hackerone)
- Open Redirect (6.0.0 < rails < 6.0.3.2) (hackerone)
Timeline
- CVE Published
- Dec 22, 2020 PoC Published
- Jan 7, 2021 PoC Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
References
- https://hackerone.com/reports/904059 url
- https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk/m/oJWw-xhNAQAJ url
- https://nvd.nist.gov/vuln/detail/CVE-2020-8264 advisory
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8264.yml url
- https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk url
- https://groups.google.com/forum/#!topic/rubyonrails-security/yQzUVfv42jk advisory