There is a possible XSS vulnerability in Action Pack while the application server is in development mode. This vulnerability is in the Actionable Exceptions middleware. This vulnerability has been assigned the CVE identifier CVE-2020-8264.
Versions Affected: >= 6.0.0
Not affected: < 6.0.0
Fixed Versions: 184.108.40.206
The FIXED releases are available at the normal locations.
Until such time as the patch can be applied, application developers should disable the Actionable Exceptions middleware in their development environment via a line such as this one in their config/environment/development.rb:
To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
- 6-0-actionable-exceptions-xss.patch - Patch for 6.0 series
Please note that only the 6.0.x and 5.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
Thank you to ooooooo_q for reporting this issue!