Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb
in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2
allow remote attackers to inject arbitrary web script or HTML via the (1) format,
(2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage,
or © number_to_human helper.
CPE | Name | Operator | Version |
---|---|---|---|
actionpack | le | 3.2.16 | |
actionpack | ge | 3.3.0 | |
actionpack | le | 4.0.2 | |
actionpack | ge | 4.1.0 | |
actionpack | lt | 4.1.0.beta2 |