CVE-2023-28120
- Source
- https://cve.org/CVERecord?id=CVE-2023-28120
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28120.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-28120
- Aliases
- Downstream
- Related
- Published
- 2025-01-09T01:15:07.637Z
- Modified
- 2026-03-13T11:34:59.238402Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.
- References
-
- https://discuss.rubyonrails.org/t/cve-2023-28120-possible-xss-security-vulnerability-in-safebuffer-bytesplice/82469
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO/
- https://security.netapp.com/advisory/ntap-20240202-0006/
- https://www.debian.org/security/2023/dsa-5389
- https://github.com/rails/rails/commit/3cf23c3f891e2e81c977ea4ab83b62bc2a444b70