Skip to main content

Mondoo

Vulnerability Management
Technology
Services

Solutions

Financial Services
Manufacturing
Healthcare

Resources

Blog
Vulnerability Database
Documentation
GitHub

Company

About
Careers
Partners
Contact

Legal

Privacy
Terms
Imprint

© 2026 Mondoo, Inc.

Log in Get Assessment

CVE-2023-28120 | Mondoo Vulnerability Intelligence

Vulnerability IntelligenceCVE-2023-28120

CVE-2023-28120

MEDIUM5.3

There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input

Published Jan 9, 2025

Modified 1 years ago

Details

There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.

References

https://discuss.rubyonrails.org/t/cve-2023-28120-possible-xss-security-vulnerability-in-safebuffer-bytesplice/82469

https://github.com/rails/rails/commit/3cf23c3f891e2e81c977ea4ab83b62bc2a444b70

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO/

https://security.netapp.com/advisory/ntap-20240202-0006/

https://www.cve.org/CVERecord?id=CVE-2023-28120

https://www.debian.org/security/2023/dsa-5389

CVSS Analysis

CVSS v3.1

5.3

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

Scope

UnchangedS:U

Impact

Confidentiality

NoneC:N

Integrity

LowI:L

Availability

NoneA:N

5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Ecosystems

Timeline

PublishedJan 9, 2025

ModifiedJan 9, 2025