Skip to content

paperclip Cross-site Scripting vulnerability

Moderate severity GitHub Reviewed Published Oct 24, 2017 to the GitHub Advisory Database • Updated Jan 23, 2023

Package

bundler paperclip (RubyGems)

Affected versions

< 4.2.2

Patched versions

4.2.2

Description

The thoughtbot paperclip gem before 4.2.2 for Ruby does not consider the content-type value during media-type validation, which allows remote attackers to upload HTML documents and conduct cross-site scripting (XSS) attacks via a spoofed value, as demonstrated by image/jpeg.

References

Published to the GitHub Advisory Database Oct 24, 2017
Reviewed Jun 16, 2020
Last updated Jan 23, 2023

Severity

Moderate

Weaknesses

CVE ID

CVE-2015-2963

GHSA ID

GHSA-6jvm-3j5h-79f6

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.