Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-15169 PoC — XSS in Action View

Source
https://github.com/glasses618/CVE-2020-15169
Associated Vulnerability
Title:XSS in Action View (CVE-2020-15169)
Description:In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory.
Readme
# README

This README would normally document whatever steps are necessary to get the
application up and running.

Things you may want to cover:

* Ruby version

* System dependencies

* Configuration

* Database creation

* Database initialization

* How to run the test suite

* Services (job queues, cache servers, search engines, etc.)

* Deployment instructions

* ...
File Snapshot

 [4.0K]  /data/pocs/4e7b57f24c9f2060eaeb8ead82e9371bf8c3774b
├── [4.0K]  app
│   ├── [4.0K]  assets
│   │   ├── [4.0K]  config
│   │   │   └── [  63]  manifest.js
│   │   ├── [4.0K]  images
│   │   └── [4.0K]  stylesheets
│   │       ├── [ 709]  application.css
│   │       ├── [1005]  scaffolds.scss
│   │       └── [ 177]  users.scss
│   ├── [4.0K]  channels
│   │   └── [4.0K]  application_cable
│   │       ├── [  79]  channel.rb
│   │       └── [  85]  connection.rb
│   ├── [4.0K]  controllers
│   │   ├── [  57]  application_controller.rb
│   │   ├── [4.0K]  concerns
│   │   └── [1.8K]  users_controller.rb
│   ├── [4.0K]  helpers
│   │   ├── [  29]  application_helper.rb
│   │   └── [  23]  users_helper.rb
│   ├── [4.0K]  javascript
│   │   ├── [4.0K]  channels
│   │   │   ├── [ 266]  consumer.js
│   │   │   └── [ 212]  index.js
│   │   └── [4.0K]  packs
│   │       └── [ 746]  application.js
│   ├── [4.0K]  jobs
│   │   └── [ 269]  application_job.rb
│   ├── [4.0K]  mailers
│   │   └── [ 102]  application_mailer.rb
│   ├── [4.0K]  models
│   │   ├── [  78]  application_record.rb
│   │   ├── [4.0K]  concerns
│   │   └── [  35]  user.rb
│   └── [4.0K]  views
│       ├── [4.0K]  layouts
│       │   ├── [ 344]  application.html.erb
│       │   ├── [ 229]  mailer.html.erb
│       │   └── [  13]  mailer.text.erb
│       └── [4.0K]  users
│           ├── [ 123]  edit.html.erb
│           ├── [ 530]  _form.html.erb
│           ├── [ 614]  index.html.erb
│           ├── [  53]  index.json.jbuilder
│           ├── [  88]  new.html.erb
│           ├── [ 170]  show.html.erb
│           ├── [  40]  show.json.jbuilder
│           └── [  96]  _user.json.jbuilder
├── [1.7K]  babel.config.js
├── [4.0K]  bin
│   ├── [2.8K]  bundle
│   ├── [ 264]  rails
│   ├── [ 213]  rake
│   ├── [1.0K]  setup
│   ├── [ 507]  spring
│   ├── [ 414]  webpack
│   ├── [ 419]  webpack-dev-server
│   └── [ 303]  yarn
├── [4.0K]  config
│   ├── [ 753]  application.rb
│   ├── [ 207]  boot.rb
│   ├── [ 195]  cable.yml
│   ├── [ 464]  credentials.yml.enc
│   ├── [ 620]  database.yml
│   ├── [ 128]  environment.rb
│   ├── [4.0K]  environments
│   │   ├── [2.2K]  development.rb
│   │   ├── [4.9K]  production.rb
│   │   └── [1.9K]  test.rb
│   ├── [4.0K]  initializers
│   │   ├── [ 216]  application_controller_renderer.rb
│   │   ├── [ 630]  assets.rb
│   │   ├── [ 404]  backtrace_silencers.rb
│   │   ├── [1.4K]  content_security_policy.rb
│   │   ├── [ 244]  cookies_serializer.rb
│   │   ├── [ 194]  filter_parameter_logging.rb
│   │   ├── [ 647]  inflections.rb
│   │   ├── [ 156]  mime_types.rb
│   │   └── [ 485]  wrap_parameters.rb
│   ├── [4.0K]  locales
│   │   ├── [ 890]  en.yml
│   │   └── [  34]  zh-TW.yml
│   ├── [1.5K]  puma.rb
│   ├── [ 159]  routes.rb
│   ├── [  97]  spring.rb
│   ├── [1.1K]  storage.yml
│   ├── [4.0K]  webpack
│   │   ├── [ 155]  development.js
│   │   ├── [  82]  environment.js
│   │   ├── [ 154]  production.js
│   │   └── [ 155]  test.js
│   └── [1.9K]  webpacker.yml
├── [ 130]  config.ru
├── [4.0K]  db
│   ├── [4.0K]  migrate
│   │   └── [ 152]  20201008142838_create_users.rb
│   ├── [ 950]  schema.rb
│   └── [ 420]  seeds.rb
├── [1.9K]  Gemfile
├── [5.4K]  Gemfile.lock
├── [4.0K]  lib
│   ├── [4.0K]  assets
│   └── [4.0K]  tasks
├── [4.0K]  log
├── [ 323]  package.json
├── [ 224]  postcss.config.js
├── [4.0K]  public
│   ├── [1.7K]  404.html
│   ├── [1.7K]  422.html
│   ├── [1.6K]  500.html
│   ├── [   0]  apple-touch-icon.png
│   ├── [   0]  apple-touch-icon-precomposed.png
│   ├── [   0]  favicon.ico
│   └── [  99]  robots.txt
├── [ 227]  Rakefile
├── [ 374]  README.md
├── [4.0K]  storage
├── [4.0K]  test
│   ├── [ 157]  application_system_test_case.rb
│   ├── [4.0K]  channels
│   │   └── [4.0K]  application_cable
│   │       └── [ 248]  connection_test.rb
│   ├── [4.0K]  controllers
│   │   └── [ 969]  users_controller_test.rb
│   ├── [4.0K]  fixtures
│   │   ├── [4.0K]  files
│   │   └── [ 136]  users.yml
│   ├── [4.0K]  helpers
│   ├── [4.0K]  integration
│   ├── [4.0K]  mailers
│   ├── [4.0K]  models
│   │   └── [ 118]  user_test.rb
│   ├── [4.0K]  system
│   │   └── [ 847]  users_test.rb
│   └── [ 386]  test_helper.rb
├── [4.0K]  tmp
│   └── [4.0K]  pids
├── [4.0K]  vendor
└── [325K]  yarn.lock

48 directories, 91 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →