Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2013-6415

Опубликовано: 03 дек. 2013
Источник: redhat
CVSS2: 4.3
EPSS Низкий

Описание

Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter.

It was found that the number_to_currency Action View helper did not properly escape the unit parameter. An attacker could use this flaw to perform a cross-site scripting (XSS) attack on an application that uses data submitted by a user in the unit parameter.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
CloudForms Management Engine 5ruby193-rubygem-actionpackAffected
OpenShift Enterprise 1ruby193-rubygem-actionpackWill not fix
Red Hat OpenStack Platform 4ruby193-rubygem-actionpackNot affected
Red Hat Satellite 6ruby193-rubygem-actionpackAffected
Red Hat Software Collectionsror40-rubygem-actionpackNot affected
Red Hat Subscription Asset Managerrubygem-actionpackAffected
OpenStack 3 for RHEL 6ruby193-rubygem-actionpackFixedRHSA-2014:000806.01.2014
Red Hat Software Collections for RHEL-6ruby193-rubygem-actionpackFixedRHSA-2013:179405.12.2013
Red Hat Subscription Asset Manager 1.4katelloFixedRHSA-2014:186317.11.2014
Red Hat Subscription Asset Manager 1.4ruby193-rubygem-actionmailerFixedRHSA-2014:186317.11.2014

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-79
https://bugzilla.redhat.com/show_bug.cgi?id=1036910rubygem-actionpack: number_to_currency XSS

EPSS

Процентиль: 81%
0.01506
Низкий

4.3 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2013-6415

ubuntu
около 12 лет назад

Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter.

nvd логотип

CVE-2013-6415

nvd
около 12 лет назад

Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter.

debian логотип

CVE-2013-6415

debian
около 12 лет назад

Cross-site scripting (XSS) vulnerability in the number_to_currency hel ...

github логотип

GHSA-6h5q-96hp-9jgm

github
больше 8 лет назад

actionpack vulnerable to Cross-site Scripting

EPSS

Процентиль: 81%
0.01506
Низкий

4.3 Medium

CVSS2