112 matches found
SUSE SLES15 / openSUSE 15 Security Update : rubygem-actionview-5_1 (SUSE-SU-2023:3813-1)
The remote SUSE Linux SLES15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2023:3813-1 advisory. - CVE-2023-23913: Fixed DOM Based Cross-site Scripting in rails-ujs bsc1209826. Tenable has extracted the preceding description block...
SUSE-SU-2023:3813-1 Security update for rubygem-actionview-5_1
This update for rubygem-actionview-51 fixes the following issues: - CVE-2023-23913: Fixed DOM Based Cross-site Scripting in rails-ujs bsc1209826...
Fedora: Security Advisory for rubygem-actionview (FEDORA-2023-4f0bb4ff5e)
The remote host is missing an update for the SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
[SECURITY] Fedora 39 Update: rubygem-actionview-7.0.7.2-1.fc39
Simple, battle-tested conventions and helpers for building web pages...
GHSA-XP5H-F8JF-RC8Q rails-ujs vulnerable to DOM Based Cross-site Scripting contenteditable HTML Elements
NOTE: rails-ujs is part of Rails/actionview since 5.1.0. There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML...
SUSE-SU-2023:2059-1 Security update for rubygem-actionview-5_1
This update for rubygem-actionview-51 fixes the following issues: - CVE-2022-27777: Fixed possible cross-site scripting vulnerability in Action View tag helpers bsc1199060. - CVE-2020-15169: Fixed cross-site scripting in translation helpers bsc1176421. - CVE-2020-8167: Fixed CSRF vulnerability in...
Fedora: Security Advisory for rubygem-actionview (FEDORA-2023-7002afbbb8)
The remote host is missing an update for the SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
[SECURITY] Fedora 37 Update: rubygem-actionview-7.0.4.3-1.fc37
Simple, battle-tested conventions and helpers for building web pages...
Fedora: Security Advisory for rubygem-actionview (FEDORA-2023-d6157bb1e2)
The remote host is missing an update for the SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
[SECURITY] Fedora 38 Update: rubygem-actionview-7.0.4.3-1.fc38
Simple, battle-tested conventions and helpers for building web pages...
Internet Bug Bounty: Rails ActionView sanitize helper bypass leading to XSS using SVG tag.
Loofah versions between 2.1.0 and 2.19.1 were vulnerable to a cross-site scripting XSS attack via the image/svg+xml media type in data URIs. This allowed an attacker to bypass HTML sanitization and execute malicious code. The vulnerability was mitigated by upgrading to Loofah version 2.19.1 or...
SUSE-SU-2022:3860-1 Security update for rubygem-actionview-4_2
This update for rubygem-actionview-42 fixes the following issues: - CVE-2022-27777: Fixed cross-site scripting vulnerability in Action View tag helpers bsc1199060...
Ruby on Rails: ActionView sanitize helper bypass leading to XSS using SVG tag.
An HTML sanitization bypass vulnerability was discovered in the ActionView sanitize helper. This allowed an attacker to bypass sanitization and execute cross-site scripting XSS attacks by using the use tag of the SVG element. By embedding a base64 encoded SVG with malicious code, an attacker coul...
CVE-2022-27777
A flaw was found in rubygem-actionview when untrusted data such as the hash key for tag attributes are not properly escaped. This flaw allows an attacker to perform a Cross-site scripting attack...
Cross-site Scripting (XSS)
Overview actionview is a simple, battle-tested conventions and helpers for building web pages. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the ActionView::Helpers and ERB::Util methods, due to improper escape of dangerous characters in names of tags and names ...
Ruby on Rails: XSS vulnerabilities due to missing checks in tag helpers
XSS vulnerabilities were discovered in certain tag helpers in Rails, specifically in the FormTagHelper and TagHelper modules. These vulnerabilities allowed attackers to execute arbitrary JavaScript code by manipulating user-controlled input in tag attributes and tag names. The impact of these...
OESA-2021-1180 rubygem-actionview security update
Simple, battle-tested conventions and helpers for building web pages. Security Fixes: In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting XSS vulnerability in Action View s translation helpers. Views that allow the user to control the default not found val...
rubygem-actionview: CSRF vulnerability in rails-ujs
A flaw was found in rubygem-actionview. A regression of CVE-2015-1840 causes Rails-ujs to send CSRF tokens to wrong domains. The highest threat from this vulnerability is to data integrity...
rubygem-actionview: views that use the `j` or `escape_javascript` methods are susceptible to XSS attacks
A flaw was found in rubygem-actionview. Views that use the j or escapejavascript methods may be susceptible to XSS attacks with ActionView's JavaScript literal escape helpers. The highest threat from this vulnerability is to data confidentiality and integrity...
[SECURITY] Fedora 33 Update: rubygem-actionview-6.0.3.3-1.fc33
Simple, battle-tested conventions and helpers for building web pages...