Описание
Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handlers.
It was discovered that Action View tag helpers did not escape quotes when using strings declared as HTML safe as attribute values. A remote attacker could use this flaw to conduct a cross-site scripting (XSS) attack.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Subscription Asset Manager | ruby193-rubygem-actionpack | Affected | ||
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | rh-ror41-rubygem-actionview | Fixed | RHSA-2016:1856 | 13.09.2016 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | ror40-rubygem-actionpack | Fixed | RHSA-2016:1857 | 13.09.2016 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | ruby193-rubygem-actionpack | Fixed | RHSA-2016:1858 | 13.09.2016 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS | rh-ror41-rubygem-actionview | Fixed | RHSA-2016:1856 | 13.09.2016 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS | ror40-rubygem-actionpack | Fixed | RHSA-2016:1857 | 13.09.2016 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS | ruby193-rubygem-actionpack | Fixed | RHSA-2016:1858 | 13.09.2016 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS | rh-ror41-rubygem-actionview | Fixed | RHSA-2016:1856 | 13.09.2016 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS | ror40-rubygem-actionpack | Fixed | RHSA-2016:1857 | 13.09.2016 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS | ruby193-rubygem-actionpack | Fixed | RHSA-2016:1858 | 13.09.2016 |
Показывать по
Дополнительная информация
Статус:
6.1 Medium
CVSS3
4.3 Medium
CVSS2
Связанные уязвимости
Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handlers.
Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handlers.
Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rai ...
6.1 Medium
CVSS3
4.3 Medium
CVSS2