Back to bug 2217785
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Avinash Hanwate | 2023-06-27 05:39:21 UTC | CC | amasferr, bbuckingham, bcourt, chazlett, ehelms, jsherril, lzap, mhulan, mkudlej, myarboro, nmoumoul, orabin, pcreech, rchan, tjochec | |
| Avinash Hanwate | 2023-06-27 05:42:38 UTC | Depends On | 2217787, 2217789, 2217788 | |
| Avinash Hanwate | 2023-06-27 05:45:38 UTC | Blocks | 2217790 | |
| Red Hat Bugzilla | 2023-07-07 08:32:44 UTC | Fixed In Version | rubygem-actionpack 6.1.7.4, rubygem-actionpack 7.0.5.1 | |
| Doc Text | A Cross-site-scripting vulnerability has been found in Actionpack due to improper sanitization of user-supplied values. This allows provided values to contain characters that are not legal in an HTTP header value. | |||
| Assignee | security-response-team | nobody | ||
| Paige Jung | 2023-07-13 16:47:15 UTC | Alias | TRIAGE-2023-28362 | 2023-28362 |
| Alias | 2023-28362 | CVE-2023-28362 | ||
| Summary | TRIAGE-2023-28362 actionpack: Possible XSS via User Supplied Values to redirect_to | CVE-2023-28362 actionpack: Possible XSS via User Supplied Values to redirect_to | ||
| Depends On | 2222764, 2222765 | |||
| Doc Text | A Cross-site-scripting vulnerability has been found in Actionpack due to improper sanitization of user-supplied values. This allows provided values to contain characters that are not legal in an HTTP header value. | A Cross-site Scripting (XSS) vulnerability was found in Actionpack due to improper sanitization of user-supplied values. This allows provided values to contain characters that are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned location header. |
Back to bug 2217785