CVE-2021-23435
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-23435
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-23435.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-23435
- Aliases
-
- GHSA-4hpq-rjcx-7vj9
- SNYK-RUBY-CLEARANCE-1577284
- Published
- 2021-09-12T20:15:07Z
- Modified
- 2024-05-14T08:25:25.575493Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
This affects the package clearance before 2.5.0. The vulnerability can be possible when users are able to set the value of session[:returnto]. If the value used for returnto contains multiple leading slashes (/////example.com) the user ends up being redirected to the external domain that comes after the slashes (http://example.com).
- References
Affected packages
Git / github.com/thoughtbot/clearance
Affected ranges
- Type
- GIT
- Repo
- https://github.com/thoughtbot/clearance
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.4.9
0.5.1
0.5.2
v0.*
v0.10.0
v0.10.3
v0.10.3.1
v0.10.3.2
v0.10.4
v0.10.5
v0.11.0
v0.11.1
v0.11.2
v0.12.0
v0.13.0
v0.13.1
v0.14.0
v0.15.0
v0.16.0
v0.16.2
v0.3.7
v0.4.4
v0.5.0
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.6.4
v0.6.5
v0.6.6
v0.6.7
v0.6.8
v0.6.9
v0.7.0
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.8.4
v0.8.5
v0.8.6
v0.8.7
v0.8.8
v0.9.0
v0.9.0.rc1
v0.9.0.rc2
v0.9.0.rc3
v0.9.0.rc4
v0.9.0.rc5
v0.9.0.rc6
v0.9.0.rc7
v0.9.0.rc8
v0.9.0.rc9
v0.9.1
v1.*
v1.0.0
v1.0.0.rc1
v1.0.0.rc2
v1.0.0.rc3
v1.0.0.rc4
v1.0.0.rc5
v1.0.0.rc7
v1.0.0.rc8
v1.0.1
v1.1.0
v1.10.0
v1.10.1
v1.11.0
v1.12.0
v1.12.1
v1.13.0
v1.14.0
v1.14.1
v1.14.2
v1.15.0
v1.15.1
v1.16.0
v1.16.1
v1.16.2
v1.17.0
v1.2.0
v1.2.1
v1.3.0
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.5.0
v1.5.1
v1.6.0
v1.6.1
v1.7.0
v1.8.0
v1.8.1
v1.9.0
v2.*
v2.0.0
v2.1.0
v2.2.0
v2.3.0
v2.3.1
v2.4.0