Lucene search

K

Ubuntu.comUB:CVE-2013-1855

HistoryMar 19, 2013 - 12:00 a.m.

CVE-2013-1855

2013-03-1900:00:00

ubuntu.com

ubuntu.com

22

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.004 Low

EPSS

Percentile

73.5%

The sanitize_css method in
lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action
Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before
3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline)
characters, which makes it easier for remote attackers to conduct
cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS)
token sequences.

Bugs

<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703349>

Notes

Author	Note
mdeslaur	in Oneiric+, rails package is just for transition

OSVersionArchitecturePackageVersionFilename
ubuntu14.04noarchruby-actionpack-3.2< 3.2.6-5UNKNOWN

References

groups.google.com/group/rubyonrails-security/msg/8ed835a97cdd1afd?dmode=source&output=gplain

launchpad.net/bugs/cve/CVE-2013-1855

nvd.nist.gov/vuln/detail/CVE-2013-1855

security-tracker.debian.org/tracker/CVE-2013-1855

www.cve.org/CVERecord?id=CVE-2013-1855

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.004 Low

EPSS

Percentile

73.5%

Related for UB:CVE-2013-1855

gitlab1 prion1 seebug1 cve1 veracode1 osv1 debiancve1 github1 rubygems1 nessus11 redhat2 ibm1 openvas8 fedora2 freebsd1 threatpost1 debian1 gentoo1 securityvulns2