4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
59.7%
The HTML escaping code in Ruby on Rails does not escape all potentially dangerous characters. In particular the code does not escape the single quote character. The helpers used in Rails itself never use single quotes, so most applications are unlikely to be vulnerable, however all users running an affected release should still upgrade.
CPE | Name | Operator | Version |
---|---|---|---|
gem/activesupport | lt | 3.0.17 | |
gem/activesupport | ge | 3.1.0 | |
gem/activesupport | lt | 3.1.8 | |
gem/activesupport | ge | 3.2.0 | |
gem/activesupport | lt | 3.2.8 |