logo
DATABASE RESOURCES PRICING ABOUT US

CVE-2020-15169

Description

In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory. #### Bugs * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970040> #### Notes Author| Note ---|--- [seth-arnold](<https://launchpad.net/~seth-arnold>) | In Oneiric-Saucy, rails package is just for transition; The rails package contains actual code from vivid onward


Affected Package


OS OS Version Package Name Package Version
ubuntu 20.04 rails any
ubuntu 22.04 rails any
ubuntu upstream rails any
ubuntu 16.04 rails any
ubuntu upstream rails-4.0 any
ubuntu upstream ruby-actionpack-3.2 any
ubuntu upstream ruby-activemodel-3.2 any
ubuntu upstream ruby-activerecord-3.2 any
ubuntu upstream ruby-activesupport-3.2 any
ubuntu upstream ruby-rails-3.2 any

Related