CVE-2024-26143 MEDIUM

CVE-2024-26143: Rails Possible XSS Vulnerability in Action Controller

Vendor Rails

Product rails

Weakness CWE-79 · XSS

Published February 27, 2024

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

6.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

Description

Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in "_html", a :default key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. The vulnerability is fixed in 7.1.3.1 and 7.0.8.1.

Key dates

Disclosure timeline

February 27, 2024 CVE published

February 13, 2025 Record updated

Identifiers

CVE CVE-2024-26143

CWE CWE-79

CVSS 6.1 / MEDIUM

Affected versions

Vendor Rails

Product rails

Affected >= 7.0.0, < 7.0.8.1

Vendor Rails

Product rails

Affected >= 7.1.0, < 7.1.3.1