CVE-2023-28362 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4 MEDIUM	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA-ADP	ADP	4 MEDIUM	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 44%

Debian Releases

Debian Product

Codename

rails

bookworm	no-dsa
bullseye	no-dsa
bullseye (security)	vulnerable
sid	vulnerable
trixie	vulnerable

Ubuntu Releases

Ubuntu Product

Codename

rails

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
kinetic	ignored
lunar	ignored
mantic	ignored
noble	needs-triage
oracular	needs-triage
trusty	ignored
xenial	needs-triage

rails-4.0

bionic	dne
focal	dne
jammy	dne
kinetic	dne
lunar	dne
mantic	dne
noble	dne
oracular	dne
trusty	ignored
xenial	dne

ruby-actionpack-3.2

bionic	dne
focal	dne
jammy	dne
kinetic	dne
lunar	dne
mantic	dne
noble	dne
oracular	dne
trusty	ignored
xenial	dne

ruby-activemodel-3.2

bionic	dne
focal	dne
jammy	dne
kinetic	dne
lunar	dne
mantic	dne
noble	dne
oracular	dne
trusty	ignored
xenial	dne

ruby-activerecord-3.2

bionic	dne
focal	dne
jammy	dne
kinetic	dne
lunar	dne
mantic	dne
noble	dne
oracular	dne
trusty	ignored
xenial	dne

ruby-activesupport-3.2

bionic	dne
focal	dne
jammy	dne
kinetic	dne
lunar	dne
mantic	dne
noble	dne
oracular	dne
trusty	ignored
xenial	dne

ruby-rails-3.2

bionic	dne
focal	dne
jammy	dne
kinetic	dne
lunar	dne
mantic	dne
noble	dne
oracular	dne
trusty	ignored
xenial	dne

Common Weakness Enumeration

CWE-116 - Improper Encoding or Escaping of Output
The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

References

https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132

https://github.com/advisories/GHSA-4g8v-vg43-wpgf

https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441

https://github.com/rails/rails/commit/69e37c84e3f77d75566424c7d0015172d6a6fac5

https://security.netapp.com/advisory/ntap-20250502-0009/