(RHSA-2016:1856) Moderate: rh-ror41-rubygem-actionview security update

2016-09-13T13:50:58
ID RHSA-2016:1856
Type redhat
Reporter RedHat
Modified 2018-06-13T01:28:18

Description

Ruby on Rails is a model-view-controller (MVC) framework for web application development. Action View implements the view component.

Security Fix(es):

  • It was discovered that Action View tag helpers did not escape quotes when using strings declared as HTML safe as attribute values. A remote attacker could use this flaw to conduct a cross-site scripting (XSS) attack. (CVE-2016-6316)

Red Hat would like to thank the Ruby on Rails project for reporting this issue. Upstream acknowledges Andrew Carpenter (Critical Juncture) as the original reporter.