Skip to content

Moderate severity vulnerability that affects paperclip

Moderate severity GitHub Reviewed Published Aug 13, 2018 to the GitHub Advisory Database • Updated Jan 9, 2023
Withdrawn This advisory was withdrawn on Jun 17, 2020

Package

bundler paperclip (RubyGems)

Affected versions

< 4.2.2

Patched versions

4.2.2

Description

Withdrawn, accidental duplicate publish.

The thoughtbot paperclip gem before 4.2.2 for Ruby does not consider the content-type value during media-type validation, which allows remote attackers to upload HTML documents and conduct cross-site scripting (XSS) attacks via a spoofed value, as demonstrated by image/jpeg.

References

Published to the GitHub Advisory Database Aug 13, 2018
Reviewed Jun 17, 2020
Withdrawn Jun 17, 2020
Last updated Jan 9, 2023

Severity

Moderate

EPSS score

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-phmw-pv3f-vvx7

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.