CVE-2013-6415

2013-12-0700:55:00

CWE-79

[email protected]

web.nvd.nist.gov

ruby on rails

xss

vulnerability

remote injection

web script

html

nvd

cve-2013-6415

5.4 Medium

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

70.2%

JSON

Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter.

CPENameOperatorVersion
rubyonrails:ruby_on_railsrubyonrails ruby on railseq3.2.14
rubyonrails:ruby_on_railsrubyonrails ruby on railsle3.2.15
rubyonrails:ruby_on_railsrubyonrails ruby on railseq3.1.11
rubyonrails:ruby_on_railsrubyonrails ruby on railseq3.0.4
rubyonrails:railsrubyonrails railseq3.0.0
rubyonrails:railsrubyonrails railseq3.0.1
rubyonrails:railsrubyonrails railseq3.0.2
rubyonrails:railsrubyonrails railseq3.0.10
rubyonrails:railsrubyonrails railseq3.0.12
rubyonrails:railsrubyonrails railseq3.0.13

CPE	Name	Operator	Version
rubyonrails:ruby_on_rails	rubyonrails ruby on rails	eq	3.2.14
rubyonrails:ruby_on_rails	rubyonrails ruby on rails	le	3.2.15
rubyonrails:ruby_on_rails	rubyonrails ruby on rails	eq	3.1.11
rubyonrails:ruby_on_rails	rubyonrails ruby on rails	eq	3.0.4
rubyonrails:rails	rubyonrails rails	eq	3.0.0
rubyonrails:rails	rubyonrails rails	eq	3.0.1
rubyonrails:rails	rubyonrails rails	eq	3.0.2
rubyonrails:rails	rubyonrails rails	eq	3.0.10
rubyonrails:rails	rubyonrails rails	eq	3.0.12
rubyonrails:rails	rubyonrails rails	eq	3.0.13