CVE-2022-3704: XSS in Rails ActionDispatch Routes Table Template
CVE-2022-3704 Published on October 26, 2022

Ruby on Rails _table.html.erb cross site scripting
A vulnerability classified as problematic has been found in Ruby on Rails. This affects an unknown part of the file actionpack/lib/action_dispatch/middleware/templates/routes/_table.html.erb. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The real existence of this vulnerability is still doubted at the moment. The name of the patch is be177e4566747b73ff63fd5f529fab564e475ed4. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-212319. NOTE: Maintainer declares that there isnt a valid attack vector. The issue was wrongly reported as a security vulnerability by a non-member of the Rails team.

NVD

Vulnerability Analysis

CVE-2022-3704 is exploitable with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2022-3704. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

Improper Neutralization

The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.


Products Associated with CVE-2022-3704

Want to know whenever a new CVE is published for Ruby on Rails Rails? stack.watch will email you.

Ruby on Rails Rails
 

Affected Versions

unspecified Ruby on Rails: rubyonrails rails:

Exploit Probability

EPSS
0.27%
Percentile
50.30%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.