Discovered 11 months ago
Published about 1 year ago
Category: Cross-Site Scripting
Severity: Moderate

Vulnerability in actionpack

There is a possible XSS vulnerability in Action Pack while the application server is in development mode. This vulnerability is in the Actionable Exceptions middleware. This vulnerability has been assigned the CVE identifier CVE-2020-8264.

Versions Affected: >= 6.0.0 Not affected: < 6.0.0 Fixed Versions:


When an application is running in development mode, and attacker can send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application.


Until such time as the patch can be applied, application developers should disable the Actionable Exceptions middleware in their development environment via a line such as this one in their config/environment/development.rb:

config.middleware.delete ActionDispatch::ActionableExceptions

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions


Unaffected Versions

< 6.0.0