QwikSec

Security Database

CVE

CWE

Training

CVE-2015-2963

Published: Jul 10, 2015

Modified: Aug 6, 2024

PUBLISHED

Description

The thoughtbot paperclip gem before 4.2.2 for Ruby does not consider the content-type value during media-type validation, which allows remote attackers to upload HTML documents and conduct cross-site scripting (XSS) attacks via a spoofed value, as demonstrated by image/jpeg.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

vdb-entry

x_refsource_BID

https://robots.thoughtbot.com/paperclip-security-release

x_refsource_CONFIRM

https://github.com/thoughtbot/paperclip/commit/9aee4112f36058cd28d5fe4a006d6981bd1eda57

x_refsource_CONFIRM

third-party-advisory

x_refsource_JVN

JVNDB-2015-000088

third-party-advisory

x_refsource_JVNDB

[oss-security] 20150618 Re: CVE request: Content type spoofing in ruby gem paperclip <4.2.2

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.