All the vulnerabilites related to rubyonrails - html_sanitizer
Vulnerability from fkie_nvd
Published
2016-02-16 02:59
Modified
2024-11-21 02:37
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | html_sanitizer | * | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.2 | |
| rubyonrails | rails | 4.2.3 | |
| rubyonrails | rails | 4.2.3 | |
| rubyonrails | rails | 4.2.4 | |
| rubyonrails | rails | 4.2.4 | |
| rubyonrails | rails | 4.2.5 | |
| rubyonrails | rails | 4.2.5 | |
| rubyonrails | rails | 4.2.5 | |
| rubyonrails | rails | 4.2.5.1 | |
| rubyonrails | rails | 4.2.5.2 | |
| rubyonrails | rails | 4.2.6 | |
| rubyonrails | rails | 5.0.0 | |
| rubyonrails | rails | 5.0.0 | |
| rubyonrails | rails | 5.0.0 | |
| rubyonrails | rails | 5.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:html_sanitizer:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "4CBB3D93-016A-43CA-9325-3F5D58DD4FD4",
"versionEndIncluding": "1.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9A68D41F-36A9-4B77-814D-996F4E48FA79",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "709A19A5-8FD1-4F9C-A38C-F06242A94D68",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "8104482C-E8F5-40A7-8B27-234FEF725FD0",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "2CFF8677-EA00-4F7E-BFF9-272482206DB5",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "85435026-9855-4BF4-A436-832628B005FD",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56C2308F-A590-47B0-9791-7865D189196F",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "9A266882-DABA-4A4C-88E6-60E993EE0947",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "83F1142C-3BFB-4B72-A033-81E20DB19D02",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1FA738A1-227B-4665-B65E-666883FFAE96",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "10789A2D-6401-4119-BFBE-2EE4C16216D3",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "70ABD462-7142-4831-8EB6-801EC1D05573",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "81D717DB-7C80-48AA-A774-E291D2E75D6E",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "06B357FB-0307-4EFA-9C5B-3C2CDEA48584",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E4BD8840-0F1C-49D3-B843-9CFE64948018",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "79D5B492-43F9-470F-BD21-6EFD93E78453",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4EC1F602-D48C-458A-A063-4050BE3BB25F",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F6A1C015-56AD-489C-B301-68CF1DBF1BEF",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FD191625-ACE2-46B6-9AAD-12D682C732C2",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*",
"matchCriteriaId": "02C7DB56-267B-4057-A9BA-36D1E58C6282",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EC163D49-691B-4125-A983-6CF6F6D86DEE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "68B537D1-1584-4D15-9C75-08ED4D45DC3A",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1E3B4233-E117-4E77-A60D-3DFD5073154D",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "AF8F94CF-D504-4165-A69E-3F1198CB162A",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1.1:*:*:*:*:*:*",
"matchCriteriaId": "C8C25977-AB6C-45E1-8956-871EB31B36BA",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "5F0AB6B0-3506-4332-A183-309FAC4882CE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "6D7B4EBC-B634-4AD7-9F7A-54D14821D5AE",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS in la gema rails-html-sanitizer 1.0.2 para Ruby on Rails 4.2.x y 5.x permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de una entidad HTML que no es manejada adecuadamente por la clase Rails::Html::FullSanitizer."
}
],
"id": "CVE-2015-7579",
"lastModified": "2024-11-21T02:37:01.243",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-02-16T02:59:03.000",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/12"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"source": "secalert@redhat.com",
"url": "https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/12"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-02-16 02:59
Modified
2024-11-21 02:37
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | html_sanitizer | * | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.2 | |
| rubyonrails | rails | 4.2.3 | |
| rubyonrails | rails | 4.2.3 | |
| rubyonrails | rails | 4.2.4 | |
| rubyonrails | rails | 4.2.4 | |
| rubyonrails | rails | 4.2.5 | |
| rubyonrails | rails | 4.2.5 | |
| rubyonrails | rails | 4.2.5 | |
| rubyonrails | rails | 4.2.5.1 | |
| rubyonrails | rails | 4.2.5.2 | |
| rubyonrails | rails | 4.2.6 | |
| rubyonrails | rails | 5.0.0 | |
| rubyonrails | rails | 5.0.0 | |
| rubyonrails | rails | 5.0.0 | |
| rubyonrails | rails | 5.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:html_sanitizer:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "4CBB3D93-016A-43CA-9325-3F5D58DD4FD4",
"versionEndIncluding": "1.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9A68D41F-36A9-4B77-814D-996F4E48FA79",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "709A19A5-8FD1-4F9C-A38C-F06242A94D68",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "8104482C-E8F5-40A7-8B27-234FEF725FD0",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "2CFF8677-EA00-4F7E-BFF9-272482206DB5",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "85435026-9855-4BF4-A436-832628B005FD",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56C2308F-A590-47B0-9791-7865D189196F",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "9A266882-DABA-4A4C-88E6-60E993EE0947",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "83F1142C-3BFB-4B72-A033-81E20DB19D02",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1FA738A1-227B-4665-B65E-666883FFAE96",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "10789A2D-6401-4119-BFBE-2EE4C16216D3",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "70ABD462-7142-4831-8EB6-801EC1D05573",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "81D717DB-7C80-48AA-A774-E291D2E75D6E",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "06B357FB-0307-4EFA-9C5B-3C2CDEA48584",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E4BD8840-0F1C-49D3-B843-9CFE64948018",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "79D5B492-43F9-470F-BD21-6EFD93E78453",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4EC1F602-D48C-458A-A063-4050BE3BB25F",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F6A1C015-56AD-489C-B301-68CF1DBF1BEF",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FD191625-ACE2-46B6-9AAD-12D682C732C2",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*",
"matchCriteriaId": "02C7DB56-267B-4057-A9BA-36D1E58C6282",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EC163D49-691B-4125-A983-6CF6F6D86DEE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "68B537D1-1584-4D15-9C75-08ED4D45DC3A",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1E3B4233-E117-4E77-A60D-3DFD5073154D",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "AF8F94CF-D504-4165-A69E-3F1198CB162A",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1.1:*:*:*:*:*:*",
"matchCriteriaId": "C8C25977-AB6C-45E1-8956-871EB31B36BA",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "5F0AB6B0-3506-4332-A183-309FAC4882CE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "6D7B4EBC-B634-4AD7-9F7A-54D14821D5AE",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en lib/rails/html/scrubbers.rb en la gema rails-html-sanitizer en versiones anteriores a 1.0.3 para Ruby on Rails 4.2.x y 5.x permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de un nodo CDATA manipulado."
}
],
"id": "CVE-2015-7580",
"lastModified": "2024-11-21T02:37:01.367",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-02-16T02:59:03.970",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/15"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"source": "secalert@redhat.com",
"url": "https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/15"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-02-16 02:59
Modified
2024-11-21 02:37
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | html_sanitizer | * | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.2 | |
| rubyonrails | rails | 4.2.3 | |
| rubyonrails | rails | 4.2.3 | |
| rubyonrails | rails | 4.2.4 | |
| rubyonrails | rails | 4.2.4 | |
| rubyonrails | rails | 4.2.5 | |
| rubyonrails | rails | 4.2.5 | |
| rubyonrails | rails | 4.2.5 | |
| rubyonrails | rails | 4.2.5.1 | |
| rubyonrails | rails | 4.2.5.2 | |
| rubyonrails | rails | 4.2.6 | |
| rubyonrails | rails | 5.0.0 | |
| rubyonrails | rails | 5.0.0 | |
| rubyonrails | rails | 5.0.0 | |
| rubyonrails | rails | 5.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:html_sanitizer:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "4CBB3D93-016A-43CA-9325-3F5D58DD4FD4",
"versionEndIncluding": "1.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9A68D41F-36A9-4B77-814D-996F4E48FA79",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "709A19A5-8FD1-4F9C-A38C-F06242A94D68",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "8104482C-E8F5-40A7-8B27-234FEF725FD0",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "2CFF8677-EA00-4F7E-BFF9-272482206DB5",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "85435026-9855-4BF4-A436-832628B005FD",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56C2308F-A590-47B0-9791-7865D189196F",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "9A266882-DABA-4A4C-88E6-60E993EE0947",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "83F1142C-3BFB-4B72-A033-81E20DB19D02",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1FA738A1-227B-4665-B65E-666883FFAE96",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "10789A2D-6401-4119-BFBE-2EE4C16216D3",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "70ABD462-7142-4831-8EB6-801EC1D05573",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "81D717DB-7C80-48AA-A774-E291D2E75D6E",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "06B357FB-0307-4EFA-9C5B-3C2CDEA48584",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E4BD8840-0F1C-49D3-B843-9CFE64948018",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "79D5B492-43F9-470F-BD21-6EFD93E78453",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4EC1F602-D48C-458A-A063-4050BE3BB25F",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F6A1C015-56AD-489C-B301-68CF1DBF1BEF",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FD191625-ACE2-46B6-9AAD-12D682C732C2",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*",
"matchCriteriaId": "02C7DB56-267B-4057-A9BA-36D1E58C6282",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EC163D49-691B-4125-A983-6CF6F6D86DEE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "68B537D1-1584-4D15-9C75-08ED4D45DC3A",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1E3B4233-E117-4E77-A60D-3DFD5073154D",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "AF8F94CF-D504-4165-A69E-3F1198CB162A",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1.1:*:*:*:*:*:*",
"matchCriteriaId": "C8C25977-AB6C-45E1-8956-871EB31B36BA",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "5F0AB6B0-3506-4332-A183-309FAC4882CE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "6D7B4EBC-B634-4AD7-9F7A-54D14821D5AE",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en la gema rails-html-sanitizer en versiones anteriores a 1.0.3 para Ruby on Rails 4.2.x y 5.x permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de atributos de etiqueta manipulados."
}
],
"id": "CVE-2015-7578",
"lastModified": "2024-11-21T02:37:01.113",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-02-16T02:59:02.047",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/11"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"source": "secalert@redhat.com",
"url": "https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/uh--W4TDwmI/ygHE7hlZEgAJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/uh--W4TDwmI/ygHE7hlZEgAJ"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-03-30 19:29
Modified
2024-11-21 04:05
Severity ?
Summary
There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| support@hackerone.com | https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae | Issue Tracking, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | html_sanitizer | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:html_sanitizer:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "E221C207-396B-4686-AB55-18000F88663E",
"versionEndIncluding": "1.0.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately."
},
{
"lang": "es",
"value": "Es posible que haya una vulnerabilidad Cross-Site Scripting (XSS) en todas las versiones inferiores a la 1.0.4 de la gema rails-html-sanitizer para Ruby. La gema permite que los atributos que no est\u00e1n en una lista blanca est\u00e9n presentes en las salidas saneadas cuando la entrada incluye fragmentos HTML especialmente manipulados. Estos atributos pueden conducir a un ataque Cross-Site Scripting (XSS) en las aplicaciones objetivo. Este problema es similar a CVE-2018-8048 en Loofah. Todos los usuarios que ejecuten una distribuci\u00f3n afectada deben actualizarla o utilizar una de las alternativas inmediatamente."
}
],
"id": "CVE-2018-3741",
"lastModified": "2024-11-21T04:05:59.343",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-03-30T19:29:00.333",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2018-3741
Vulnerability from cvelistv5
Published
2018-03-30 19:00
Modified
2024-08-05 04:50
Severity ?
EPSS score ?
Summary
There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Rails | rails-html-sanitizer |
Version: <= 1.0.3 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:50:30.644Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "rails-html-sanitizer",
"vendor": "Rails",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.0.3"
}
]
}
],
"datePublic": "2018-03-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-30T18:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-3741",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "rails-html-sanitizer",
"version": {
"version_data": [
{
"version_value": "\u003c= 1.0.3"
}
]
}
}
]
},
"vendor_name": "Rails"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae",
"refsource": "CONFIRM",
"url": "https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-3741",
"datePublished": "2018-03-30T19:00:00",
"dateReserved": "2017-12-28T00:00:00",
"dateUpdated": "2024-08-05T04:50:30.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-7579
Vulnerability from cvelistv5
Published
2016-02-16 02:00
Modified
2024-08-06 07:51
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f | x_refsource_CONFIRM | |
| https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ | mailing-list, x_refsource_MLIST | |
| http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html | vendor-advisory, x_refsource_FEDORA | |
| http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html | vendor-advisory, x_refsource_SUSE | |
| http://www.securitytracker.com/id/1034816 | vdb-entry, x_refsource_SECTRACK | |
| http://www.openwall.com/lists/oss-security/2016/01/25/12 | mailing-list, x_refsource_MLIST | |
| http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html | vendor-advisory, x_refsource_FEDORA | |
| http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html | vendor-advisory, x_refsource_SUSE |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:51:28.640Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f"
},
{
"name": "[ruby-security-ann] 20160125 [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ"
},
{
"name": "FEDORA-2016-3a2606f993",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
},
{
"name": "SUSE-SU-2016:1146",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"name": "1034816",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1034816"
},
{
"name": "[oss-security] 20160125 [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/12"
},
{
"name": "FEDORA-2016-59ce8b61dd",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
},
{
"name": "SUSE-SU-2016:0391",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
},
{
"name": "openSUSE-SU-2016:0356",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-09T09:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f"
},
{
"name": "[ruby-security-ann] 20160125 [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ"
},
{
"name": "FEDORA-2016-3a2606f993",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
},
{
"name": "SUSE-SU-2016:1146",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"name": "1034816",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1034816"
},
{
"name": "[oss-security] 20160125 [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/12"
},
{
"name": "FEDORA-2016-59ce8b61dd",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
},
{
"name": "SUSE-SU-2016:0391",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
},
{
"name": "openSUSE-SU-2016:0356",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-7579",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f",
"refsource": "CONFIRM",
"url": "https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f"
},
{
"name": "[ruby-security-ann] 20160125 [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer",
"refsource": "MLIST",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ"
},
{
"name": "FEDORA-2016-3a2606f993",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
},
{
"name": "SUSE-SU-2016:1146",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"name": "1034816",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"name": "[oss-security] 20160125 [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/12"
},
{
"name": "FEDORA-2016-59ce8b61dd",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
},
{
"name": "SUSE-SU-2016:0391",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
},
{
"name": "openSUSE-SU-2016:0356",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-7579",
"datePublished": "2016-02-16T02:00:00",
"dateReserved": "2015-09-29T00:00:00",
"dateUpdated": "2024-08-06T07:51:28.640Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-7578
Vulnerability from cvelistv5
Published
2016-02-16 02:00
Modified
2024-08-06 07:51
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes.
References
| ▼ | URL | Tags |
|---|---|---|
| http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html | vendor-advisory, x_refsource_FEDORA | |
| http://www.openwall.com/lists/oss-security/2016/01/25/11 | mailing-list, x_refsource_MLIST | |
| http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html | vendor-advisory, x_refsource_SUSE | |
| https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4 | x_refsource_CONFIRM | |
| http://www.securitytracker.com/id/1034816 | vdb-entry, x_refsource_SECTRACK | |
| https://groups.google.com/forum/message/raw?msg=ruby-security-ann/uh--W4TDwmI/ygHE7hlZEgAJ | mailing-list, x_refsource_MLIST | |
| http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html | vendor-advisory, x_refsource_FEDORA | |
| http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html | vendor-advisory, x_refsource_SUSE |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:51:28.491Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "FEDORA-2016-3a2606f993",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
},
{
"name": "[oss-security] 20160125 [CVE-2015-7578] Possible XSS vulnerability in rails-html-sanitizer",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/11"
},
{
"name": "SUSE-SU-2016:1146",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4"
},
{
"name": "1034816",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1034816"
},
{
"name": "[ruby-security-ann] 20160125 [CVE-2015-7578] Possible XSS vulnerability in rails-html-sanitizer",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/uh--W4TDwmI/ygHE7hlZEgAJ"
},
{
"name": "FEDORA-2016-59ce8b61dd",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
},
{
"name": "SUSE-SU-2016:0391",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
},
{
"name": "openSUSE-SU-2016:0356",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-09T09:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "FEDORA-2016-3a2606f993",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
},
{
"name": "[oss-security] 20160125 [CVE-2015-7578] Possible XSS vulnerability in rails-html-sanitizer",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/11"
},
{
"name": "SUSE-SU-2016:1146",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4"
},
{
"name": "1034816",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1034816"
},
{
"name": "[ruby-security-ann] 20160125 [CVE-2015-7578] Possible XSS vulnerability in rails-html-sanitizer",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/uh--W4TDwmI/ygHE7hlZEgAJ"
},
{
"name": "FEDORA-2016-59ce8b61dd",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
},
{
"name": "SUSE-SU-2016:0391",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
},
{
"name": "openSUSE-SU-2016:0356",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-7578",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "FEDORA-2016-3a2606f993",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
},
{
"name": "[oss-security] 20160125 [CVE-2015-7578] Possible XSS vulnerability in rails-html-sanitizer",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/11"
},
{
"name": "SUSE-SU-2016:1146",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"name": "https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4",
"refsource": "CONFIRM",
"url": "https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4"
},
{
"name": "1034816",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"name": "[ruby-security-ann] 20160125 [CVE-2015-7578] Possible XSS vulnerability in rails-html-sanitizer",
"refsource": "MLIST",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/uh--W4TDwmI/ygHE7hlZEgAJ"
},
{
"name": "FEDORA-2016-59ce8b61dd",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
},
{
"name": "SUSE-SU-2016:0391",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
},
{
"name": "openSUSE-SU-2016:0356",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-7578",
"datePublished": "2016-02-16T02:00:00",
"dateReserved": "2015-09-29T00:00:00",
"dateUpdated": "2024-08-06T07:51:28.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-7580
Vulnerability from cvelistv5
Published
2016-02-16 02:00
Modified
2024-08-06 07:51
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node.
References
| ▼ | URL | Tags |
|---|---|---|
| https://groups.google.com/forum/message/raw?msg=rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ | mailing-list, x_refsource_MLIST | |
| http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html | vendor-advisory, x_refsource_SUSE | |
| http://www.openwall.com/lists/oss-security/2016/01/25/15 | mailing-list, x_refsource_MLIST | |
| http://www.securitytracker.com/id/1034816 | vdb-entry, x_refsource_SECTRACK | |
| https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78 | x_refsource_CONFIRM | |
| http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html | vendor-advisory, x_refsource_SUSE |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:51:28.598Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[rubyonrails-security] 20160125 [CVE-2015-7580] Possible XSS vulnerability in rails-html-sanitizer",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ"
},
{
"name": "SUSE-SU-2016:1146",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"name": "[oss-security] 20160125 [CVE-2015-7580] Possible XSS vulnerability in rails-html-sanitizer",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/15"
},
{
"name": "1034816",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1034816"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78"
},
{
"name": "SUSE-SU-2016:0391",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
},
{
"name": "openSUSE-SU-2016:0356",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-09T09:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[rubyonrails-security] 20160125 [CVE-2015-7580] Possible XSS vulnerability in rails-html-sanitizer",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ"
},
{
"name": "SUSE-SU-2016:1146",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"name": "[oss-security] 20160125 [CVE-2015-7580] Possible XSS vulnerability in rails-html-sanitizer",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/15"
},
{
"name": "1034816",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1034816"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78"
},
{
"name": "SUSE-SU-2016:0391",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
},
{
"name": "openSUSE-SU-2016:0356",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-7580",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[rubyonrails-security] 20160125 [CVE-2015-7580] Possible XSS vulnerability in rails-html-sanitizer",
"refsource": "MLIST",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ"
},
{
"name": "SUSE-SU-2016:1146",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"name": "[oss-security] 20160125 [CVE-2015-7580] Possible XSS vulnerability in rails-html-sanitizer",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/15"
},
{
"name": "1034816",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"name": "https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78",
"refsource": "CONFIRM",
"url": "https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78"
},
{
"name": "SUSE-SU-2016:0391",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
},
{
"name": "openSUSE-SU-2016:0356",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-7580",
"datePublished": "2016-02-16T02:00:00",
"dateReserved": "2015-09-29T00:00:00",
"dateUpdated": "2024-08-06T07:51:28.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}