Lucene search

GoogleOSV:GHSA-W37C-Q653-QG95

HistoryOct 24, 2017 - 6:33 p.m.

actionpack Cross-site Scripting vulnerability

2017-10-2418:33:36

Google

osv.dev

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

55.9%

JSON

Cross-site scripting (XSS) vulnerability in the simple_format helper in actionpack/lib/action_view/helpers/text_helper.rb in Ruby on Rails 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML attribute.

CPENameOperatorVersion
actionpackeq4.0.1
actionpackeq4.0.1.rc4
actionpackeq4.0.0
actionpackeq4.0.1.rc2
actionpackeq4.0.1.rc1
actionpackeq4.0.1.rc3

Name	Operator	Version
actionpack	eq	4.0.1
actionpack	eq	4.0.1.rc4
actionpack	eq	4.0.0
actionpack	eq	4.0.1.rc2
actionpack	eq	4.0.1.rc1
actionpack	eq	4.0.1.rc3

References

weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released

github.com/rails/rails

github.com/rails/rails/commit/4b4f5847f64f81c961625e647711ef9f6ad1a454

github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2013-6416.yml

groups.google.com/forum/#!topic/ruby-security-ann/5ZI1-H5OoIM

groups.google.com/forum/message/raw?msg=ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ

nvd.nist.gov/vuln/detail/CVE-2013-6416

web.archive.org/web/20200228165109/www.securityfocus.com/bid/64071

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

55.9%

JSON

Related for OSV:GHSA-W37C-Q653-QG95