Recent "rails" CVEs [CVE-2023-23913, CVE-2023-27531]

[jasnow]

Saw that 2 of the CVE's posted to discuss.rubyrails.org mailing list had
been added to the database by @severinkaelin , but I see 2 more:

• 27531: https://discuss.rubyonrails.org/t/cve-2023-27531-possible-deserialization-of-untrusted-data-vulnerability-in-kredis-json/82467#post_1

  • https://github.com/rails/kredis/releases/tag/v1.3.0.1 (patch)

• 23913: https://discuss.rubyonrails.org/t/cve-2023-23913-dom-based-cross-site-scripting-in-rails-ujs-for-contenteditable-html-elements/82468#post_1

  • Patch: Upgrade to Rails 6.1.7.3 or 7.0.4.3

I will start collecting the data, but if someone else has started, please speak up. Otherwise please assign this issue to me.
Also I am willing to have someone proof my work before I commit it.
Thanks.

[jasnow]

Now we wait for the CVE's to be publlished with CVSS_V2 and/or CVSS_V3 values.

[jasnow]

unneeded