Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2015-7579 (GCVE-0-2015-7579)
Vulnerability from cvelistv5 – Published: 2016-02-16 02:00 – Updated: 2024-08-06 07:51
VLAI?
EPSS
Summary
Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/rails/rails-html-sanitizer/com… | x_refsource_CONFIRM |
| https://groups.google.com/forum/message/raw?msg=r… | mailing-listx_refsource_MLIST |
| http://lists.fedoraproject.org/pipermail/package-… | vendor-advisoryx_refsource_FEDORA |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
| http://www.securitytracker.com/id/1034816 | vdb-entryx_refsource_SECTRACK |
| http://www.openwall.com/lists/oss-security/2016/0… | mailing-listx_refsource_MLIST |
| http://lists.fedoraproject.org/pipermail/package-… | vendor-advisoryx_refsource_FEDORA |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
Date Public ?
2016-01-25 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:51:28.640Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f"
},
{
"name": "[ruby-security-ann] 20160125 [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ"
},
{
"name": "FEDORA-2016-3a2606f993",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
},
{
"name": "SUSE-SU-2016:1146",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"name": "1034816",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1034816"
},
{
"name": "[oss-security] 20160125 [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/12"
},
{
"name": "FEDORA-2016-59ce8b61dd",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
},
{
"name": "SUSE-SU-2016:0391",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
},
{
"name": "openSUSE-SU-2016:0356",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-09T09:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f"
},
{
"name": "[ruby-security-ann] 20160125 [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ"
},
{
"name": "FEDORA-2016-3a2606f993",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
},
{
"name": "SUSE-SU-2016:1146",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"name": "1034816",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1034816"
},
{
"name": "[oss-security] 20160125 [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/12"
},
{
"name": "FEDORA-2016-59ce8b61dd",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
},
{
"name": "SUSE-SU-2016:0391",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
},
{
"name": "openSUSE-SU-2016:0356",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-7579",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f",
"refsource": "CONFIRM",
"url": "https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f"
},
{
"name": "[ruby-security-ann] 20160125 [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer",
"refsource": "MLIST",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ"
},
{
"name": "FEDORA-2016-3a2606f993",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
},
{
"name": "SUSE-SU-2016:1146",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"name": "1034816",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"name": "[oss-security] 20160125 [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/12"
},
{
"name": "FEDORA-2016-59ce8b61dd",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
},
{
"name": "SUSE-SU-2016:0391",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
},
{
"name": "openSUSE-SU-2016:0356",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-7579",
"datePublished": "2016-02-16T02:00:00.000Z",
"dateReserved": "2015-09-29T00:00:00.000Z",
"dateUpdated": "2024-08-06T07:51:28.640Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2015-7579",
"date": "2026-05-19",
"epss": "0.00166",
"percentile": "0.37216"
},
"fkie_nvd": {
"configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:html_sanitizer:*:*:*:*:*:ruby:*:*\", \"versionEndIncluding\": \"1.0.2\", \"matchCriteriaId\": \"4CBB3D93-016A-43CA-9325-3F5D58DD4FD4\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9A68D41F-36A9-4B77-814D-996F4E48FA79\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*\", \"matchCriteriaId\": \"709A19A5-8FD1-4F9C-A38C-F06242A94D68\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*\", \"matchCriteriaId\": \"8104482C-E8F5-40A7-8B27-234FEF725FD0\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*\", \"matchCriteriaId\": \"2CFF8677-EA00-4F7E-BFF9-272482206DB5\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*\", \"matchCriteriaId\": \"8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"85435026-9855-4BF4-A436-832628B005FD\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*\", \"matchCriteriaId\": \"56C2308F-A590-47B0-9791-7865D189196F\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*\", \"matchCriteriaId\": \"9A266882-DABA-4A4C-88E6-60E993EE0947\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"83F1142C-3BFB-4B72-A033-81E20DB19D02\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"1FA738A1-227B-4665-B65E-666883FFAE96\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*\", \"matchCriteriaId\": \"6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*\", \"matchCriteriaId\": \"10789A2D-6401-4119-BFBE-2EE4C16216D3\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*\", \"matchCriteriaId\": \"70ABD462-7142-4831-8EB6-801EC1D05573\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"81D717DB-7C80-48AA-A774-E291D2E75D6E\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"06B357FB-0307-4EFA-9C5B-3C2CDEA48584\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"E4BD8840-0F1C-49D3-B843-9CFE64948018\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"79D5B492-43F9-470F-BD21-6EFD93E78453\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"4EC1F602-D48C-458A-A063-4050BE3BB25F\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F6A1C015-56AD-489C-B301-68CF1DBF1BEF\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"FD191625-ACE2-46B6-9AAD-12D682C732C2\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*\", \"matchCriteriaId\": \"02C7DB56-267B-4057-A9BA-36D1E58C6282\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EC163D49-691B-4125-A983-6CF6F6D86DEE\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.2.5.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"68B537D1-1584-4D15-9C75-08ED4D45DC3A\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:4.2.6:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"1E3B4233-E117-4E77-A60D-3DFD5073154D\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*\", \"matchCriteriaId\": \"AF8F94CF-D504-4165-A69E-3F1198CB162A\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:5.0.0:beta1.1:*:*:*:*:*:*\", \"matchCriteriaId\": \"C8C25977-AB6C-45E1-8956-871EB31B36BA\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:5.0.0:beta2:*:*:*:*:*:*\", \"matchCriteriaId\": \"5F0AB6B0-3506-4332-A183-309FAC4882CE\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:5.0.0:beta3:*:*:*:*:*:*\", \"matchCriteriaId\": \"6D7B4EBC-B634-4AD7-9F7A-54D14821D5AE\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class.\"}, {\"lang\": \"es\", \"value\": \"Vulnerabilidad de XSS in la gema rails-html-sanitizer 1.0.2 para Ruby on Rails 4.2.x y 5.x permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\\u00e9s de una entidad HTML que no es manejada adecuadamente por la clase Rails::Html::FullSanitizer.\"}]",
"id": "CVE-2015-7579",
"lastModified": "2024-11-21T02:37:01.243",
"metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
"published": "2016-02-16T02:59:03.000",
"references": "[{\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2016/01/25/12\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.securitytracker.com/id/1034816\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2016/01/25/12\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securitytracker.com/id/1034816\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2015-7579\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2016-02-16T02:59:03.000\",\"lastModified\":\"2026-05-06T22:30:45.220\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de XSS in la gema rails-html-sanitizer 1.0.2 para Ruby on Rails 4.2.x y 5.x permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de una entidad HTML que no es manejada adecuadamente por la clase Rails::Html::FullSanitizer.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:html_sanitizer:*:*:*:*:*:ruby:*:*\",\"versionEndIncluding\":\"1.0.2\",\"matchCriteriaId\":\"4CBB3D93-016A-43CA-9325-3F5D58DD4FD4\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9A68D41F-36A9-4B77-814D-996F4E48FA79\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"709A19A5-8FD1-4F9C-A38C-F06242A94D68\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*\",\"matchCriteriaId\":\"8104482C-E8F5-40A7-8B27-234FEF725FD0\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*\",\"matchCriteriaId\":\"2CFF8677-EA00-4F7E-BFF9-272482206DB5\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*\",\"matchCriteriaId\":\"8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"85435026-9855-4BF4-A436-832628B005FD\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"56C2308F-A590-47B0-9791-7865D189196F\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"9A266882-DABA-4A4C-88E6-60E993EE0947\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"83F1142C-3BFB-4B72-A033-81E20DB19D02\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"1FA738A1-227B-4665-B65E-666883FFAE96\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"10789A2D-6401-4119-BFBE-2EE4C16216D3\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"70ABD462-7142-4831-8EB6-801EC1D05573\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"81D717DB-7C80-48AA-A774-E291D2E75D6E\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"06B357FB-0307-4EFA-9C5B-3C2CDEA48584\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"E4BD8840-0F1C-49D3-B843-9CFE64948018\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"79D5B492-43F9-470F-BD21-6EFD93E78453\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"4EC1F602-D48C-458A-A063-4050BE3BB25F\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F6A1C015-56AD-489C-B301-68CF1DBF1BEF\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"FD191625-ACE2-46B6-9AAD-12D682C732C2\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"02C7DB56-267B-4057-A9BA-36D1E58C6282\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EC163D49-691B-4125-A983-6CF6F6D86DEE\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.5.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"68B537D1-1584-4D15-9C75-08ED4D45DC3A\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.2.6:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"1E3B4233-E117-4E77-A60D-3DFD5073154D\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"AF8F94CF-D504-4165-A69E-3F1198CB162A\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:5.0.0:beta1.1:*:*:*:*:*:*\",\"matchCriteriaId\":\"C8C25977-AB6C-45E1-8956-871EB31B36BA\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:5.0.0:beta2:*:*:*:*:*:*\",\"matchCriteriaId\":\"5F0AB6B0-3506-4332-A183-309FAC4882CE\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:5.0.0:beta3:*:*:*:*:*:*\",\"matchCriteriaId\":\"6D7B4EBC-B634-4AD7-9F7A-54D14821D5AE\"}]}]}],\"references\":[{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2016/01/25/12\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securitytracker.com/id/1034816\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2016/01/25/12\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securitytracker.com/id/1034816\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
CERTFR-2016-AVI-037
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été corrigées dans Ruby On Rails. Certaines d'entre elles permettent à un attaquant de provoquer un déni de service à distance, un contournement de la politique de sécurité et une atteinte à l'intégrité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 4.1.x antérieures à 4.1.14.1 | ||
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 4.2.x antérieures à 4.2.5.1 | ||
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 5.0.x antérieures à 5.0.0.beta1.1 | ||
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 3.2.x antérieures à 3.2.22.1 |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ruby on Rails versions 4.1.x ant\u00e9rieures \u00e0 4.1.14.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby on Rails versions 4.2.x ant\u00e9rieures \u00e0 4.2.5.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby on Rails versions 5.0.x ant\u00e9rieures \u00e0 5.0.0.beta1.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby on Rails versions 3.2.x ant\u00e9rieures \u00e0 3.2.22.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2016-0752",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-0752"
},
{
"name": "CVE-2016-0753",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-0753"
},
{
"name": "CVE-2015-7578",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-7578"
},
{
"name": "CVE-2015-7581",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-7581"
},
{
"name": "CVE-2015-7579",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-7579"
},
{
"name": "CVE-2016-0751",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-0751"
},
{
"name": "CVE-2015-7576",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-7576"
},
{
"name": "CVE-2015-7577",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-7577"
}
],
"links": [
{
"title": "Ruby On Rails groups.google.com",
"url": "https://groups.google.com/forum/?_escaped_fragment_=forum/rubyonrails-security#!forum/rubyonrails-security"
}
],
"reference": "CERTFR-2016-AVI-037",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2016-01-26T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Injection de code indirecte \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eRuby On Rails\u003c/span\u003e. Certaines d\u0027entre elles permettent\n\u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance, un\ncontournement de la politique de s\u00e9curit\u00e9 et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9\ndes donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Ruby On Rails",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby On Rails du 25 janvier 2016",
"url": "http://weblog.rubyonrails.org/"
}
]
}
CERTFR-2016-AVI-037
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été corrigées dans Ruby On Rails. Certaines d'entre elles permettent à un attaquant de provoquer un déni de service à distance, un contournement de la politique de sécurité et une atteinte à l'intégrité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 4.1.x antérieures à 4.1.14.1 | ||
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 4.2.x antérieures à 4.2.5.1 | ||
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 5.0.x antérieures à 5.0.0.beta1.1 | ||
| Ruby on Rails | Ruby on Rails | Ruby on Rails versions 3.2.x antérieures à 3.2.22.1 |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ruby on Rails versions 4.1.x ant\u00e9rieures \u00e0 4.1.14.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby on Rails versions 4.2.x ant\u00e9rieures \u00e0 4.2.5.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby on Rails versions 5.0.x ant\u00e9rieures \u00e0 5.0.0.beta1.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby on Rails versions 3.2.x ant\u00e9rieures \u00e0 3.2.22.1",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2016-0752",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-0752"
},
{
"name": "CVE-2016-0753",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-0753"
},
{
"name": "CVE-2015-7578",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-7578"
},
{
"name": "CVE-2015-7581",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-7581"
},
{
"name": "CVE-2015-7579",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-7579"
},
{
"name": "CVE-2016-0751",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-0751"
},
{
"name": "CVE-2015-7576",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-7576"
},
{
"name": "CVE-2015-7577",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-7577"
}
],
"links": [
{
"title": "Ruby On Rails groups.google.com",
"url": "https://groups.google.com/forum/?_escaped_fragment_=forum/rubyonrails-security#!forum/rubyonrails-security"
}
],
"reference": "CERTFR-2016-AVI-037",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2016-01-26T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Injection de code indirecte \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eRuby On Rails\u003c/span\u003e. Certaines d\u0027entre elles permettent\n\u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance, un\ncontournement de la politique de s\u00e9curit\u00e9 et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9\ndes donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Ruby On Rails",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby On Rails du 25 janvier 2016",
"url": "http://weblog.rubyonrails.org/"
}
]
}
CNVD-2016-00966
Vulnerability from cnvd - Published: 2016-02-16
VLAI Severity ?
Title
Ruby on Rails rails-html-sanitizer跨站脚本漏洞(CNVD-2016-00966)
Description
Ruby on Rails是Rails核心团队开发维护的一套基于Ruby语言的开源Web应用框架。rails-html-sanitizer是其中的一个HTML代码清理包。
Ruby on Rails rails-html-sanitizer存在跨站脚本漏洞,允许远程攻击者利用漏洞注入恶意脚本或HTML代码,当恶意数据被查看时,可获取敏感信息或劫持用户会话。
Severity
中
Patch Name
Ruby on Rails rails-html-sanitizer跨站脚本漏洞(CNVD-2016-00966)的补丁
Patch Description
Ruby on Rails是Rails核心团队开发维护的一套基于Ruby语言的开源Web应用框架。rails-html-sanitizer是其中的一个HTML代码清理包。
Ruby on Rails rails-html-sanitizer存在跨站脚本漏洞,允许远程攻击者利用漏洞注入恶意脚本或HTML代码,当恶意数据被查看时,可获取敏感信息或劫持用户会话。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
用户可参考如下厂商提供的安全补丁以修复该漏洞: http://weblog.rubyonrails.org/2016/1/25/Rails-5-0-0-beta1-1-4-2-5-1-4-1-14-1-3-2-22-1-and-rails-html-sanitizer-1-0-3-have-been-released/
Reference
http://weblog.rubyonrails.org/2016/1/25/Rails-5-0-0-beta1-1-4-2-5-1-4-1-14-1-3-2-22-1-and-rails-html-sanitizer-1-0-3-have-been-released/
Impacted products
| Name | Ruby on Rails Ruby on Rails |
|---|
{
"bids": {
"bid": {
"bidNumber": "81804"
}
},
"cves": {
"cve": {
"cveNumber": "CVE-2015-7579"
}
},
"description": "Ruby on Rails\u662fRails\u6838\u5fc3\u56e2\u961f\u5f00\u53d1\u7ef4\u62a4\u7684\u4e00\u5957\u57fa\u4e8eRuby\u8bed\u8a00\u7684\u5f00\u6e90Web\u5e94\u7528\u6846\u67b6\u3002rails-html-sanitizer\u662f\u5176\u4e2d\u7684\u4e00\u4e2aHTML\u4ee3\u7801\u6e05\u7406\u5305\u3002\r\n\r\nRuby on Rails rails-html-sanitizer\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e,\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u6ce8\u5165\u6076\u610f\u811a\u672c\u6216HTML\u4ee3\u7801\uff0c\u5f53\u6076\u610f\u6570\u636e\u88ab\u67e5\u770b\u65f6\uff0c\u53ef\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u6216\u52ab\u6301\u7528\u6237\u4f1a\u8bdd\u3002",
"discovererName": "Arthur Neves from GitHub and Spyros Livathinos from Zendesk",
"formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttp://weblog.rubyonrails.org/2016/1/25/Rails-5-0-0-beta1-1-4-2-5-1-4-1-14-1-3-2-22-1-and-rails-html-sanitizer-1-0-3-have-been-released/",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2016-00966",
"openTime": "2016-02-16",
"patchDescription": "Ruby on Rails\u662fRails\u6838\u5fc3\u56e2\u961f\u5f00\u53d1\u7ef4\u62a4\u7684\u4e00\u5957\u57fa\u4e8eRuby\u8bed\u8a00\u7684\u5f00\u6e90Web\u5e94\u7528\u6846\u67b6\u3002rails-html-sanitizer\u662f\u5176\u4e2d\u7684\u4e00\u4e2aHTML\u4ee3\u7801\u6e05\u7406\u5305\u3002\r\n\r\nRuby on Rails rails-html-sanitizer\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e,\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u6ce8\u5165\u6076\u610f\u811a\u672c\u6216HTML\u4ee3\u7801\uff0c\u5f53\u6076\u610f\u6570\u636e\u88ab\u67e5\u770b\u65f6\uff0c\u53ef\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u6216\u52ab\u6301\u7528\u6237\u4f1a\u8bdd\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Ruby on Rails rails-html-sanitizer\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2016-00966\uff09\u7684\u8865\u4e01",
"products": {
"product": "Ruby on Rails Ruby on Rails"
},
"referenceLink": "http://weblog.rubyonrails.org/2016/1/25/Rails-5-0-0-beta1-1-4-2-5-1-4-1-14-1-3-2-22-1-and-rails-html-sanitizer-1-0-3-have-been-released/",
"serverity": "\u4e2d",
"submitTime": "2016-02-08",
"title": "Ruby on Rails rails-html-sanitizer\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2016-00966\uff09"
}
FKIE_CVE-2015-7579
Vulnerability from fkie_nvd - Published: 2016-02-16 02:59 - Updated: 2026-05-06 22:30
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | html_sanitizer | * | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.2 | |
| rubyonrails | rails | 4.2.3 | |
| rubyonrails | rails | 4.2.3 | |
| rubyonrails | rails | 4.2.4 | |
| rubyonrails | rails | 4.2.4 | |
| rubyonrails | rails | 4.2.5 | |
| rubyonrails | rails | 4.2.5 | |
| rubyonrails | rails | 4.2.5 | |
| rubyonrails | rails | 4.2.5.1 | |
| rubyonrails | rails | 4.2.5.2 | |
| rubyonrails | rails | 4.2.6 | |
| rubyonrails | rails | 5.0.0 | |
| rubyonrails | rails | 5.0.0 | |
| rubyonrails | rails | 5.0.0 | |
| rubyonrails | rails | 5.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:html_sanitizer:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "4CBB3D93-016A-43CA-9325-3F5D58DD4FD4",
"versionEndIncluding": "1.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9A68D41F-36A9-4B77-814D-996F4E48FA79",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "709A19A5-8FD1-4F9C-A38C-F06242A94D68",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "8104482C-E8F5-40A7-8B27-234FEF725FD0",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "2CFF8677-EA00-4F7E-BFF9-272482206DB5",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "85435026-9855-4BF4-A436-832628B005FD",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56C2308F-A590-47B0-9791-7865D189196F",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "9A266882-DABA-4A4C-88E6-60E993EE0947",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "83F1142C-3BFB-4B72-A033-81E20DB19D02",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1FA738A1-227B-4665-B65E-666883FFAE96",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "10789A2D-6401-4119-BFBE-2EE4C16216D3",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "70ABD462-7142-4831-8EB6-801EC1D05573",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "81D717DB-7C80-48AA-A774-E291D2E75D6E",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "06B357FB-0307-4EFA-9C5B-3C2CDEA48584",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E4BD8840-0F1C-49D3-B843-9CFE64948018",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "79D5B492-43F9-470F-BD21-6EFD93E78453",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4EC1F602-D48C-458A-A063-4050BE3BB25F",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F6A1C015-56AD-489C-B301-68CF1DBF1BEF",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FD191625-ACE2-46B6-9AAD-12D682C732C2",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*",
"matchCriteriaId": "02C7DB56-267B-4057-A9BA-36D1E58C6282",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EC163D49-691B-4125-A983-6CF6F6D86DEE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "68B537D1-1584-4D15-9C75-08ED4D45DC3A",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1E3B4233-E117-4E77-A60D-3DFD5073154D",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "AF8F94CF-D504-4165-A69E-3F1198CB162A",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1.1:*:*:*:*:*:*",
"matchCriteriaId": "C8C25977-AB6C-45E1-8956-871EB31B36BA",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "5F0AB6B0-3506-4332-A183-309FAC4882CE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "6D7B4EBC-B634-4AD7-9F7A-54D14821D5AE",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS in la gema rails-html-sanitizer 1.0.2 para Ruby on Rails 4.2.x y 5.x permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de una entidad HTML que no es manejada adecuadamente por la clase Rails::Html::FullSanitizer."
}
],
"id": "CVE-2015-7579",
"lastModified": "2026-05-06T22:30:45.220",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-02-16T02:59:03.000",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/12"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"source": "secalert@redhat.com",
"url": "https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/12"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-R9C2-CR39-C8G6
Vulnerability from github – Published: 2017-10-24 18:33 – Updated: 2023-01-24 14:56
VLAI?
Summary
rails-html-sanitizer Cross-site Scripting vulnerability
Details
Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class.
Severity ?
6.1 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rails-html-sanitizer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-7579"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:54:13Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the `Rails::Html::FullSanitizer` class.",
"id": "GHSA-r9c2-cr39-c8g6",
"modified": "2023-01-24T14:56:23Z",
"published": "2017-10-24T18:33:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7579"
},
{
"type": "WEB",
"url": "https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f"
},
{
"type": "PACKAGE",
"url": "https://github.com/rails/rails-html-sanitizer"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20160128075017/http://www.securitytracker.com/id/1034816"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/12"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "rails-html-sanitizer Cross-site Scripting vulnerability"
}
GSD-2015-7579
Vulnerability from gsd - Updated: 2016-01-25 00:00Details
There is a XSS vulnerability in `Rails::Html::FullSanitizer` used by Action View's `strip_tags`.
This vulnerability has been assigned the CVE identifier CVE-2015-7579.
Versions Affected: 1.0.2
Not affected: 1.0.0, 1.0.1
Fixed Versions: 1.0.3
Impact
------
Due to the way that `Rails::Html::FullSanitizer` is implemented, if an attacker
passes an already escaped HTML entity to the input of Action View's `strip_tags`
these entities will be unescaped what may cause a XSS attack if used in combination
with `raw` or `html_safe`.
For example:
strip_tags("<script>alert('XSS')</script>")
Would generate:
<script>alert('XSS')</script>
After the fix it will generate:
<script>alert('XSS')</script>
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Releases
--------
The FIXED releases are available at the normal locations.
Workarounds
-----------
If you can't upgrade, please use the following monkey patch in an initializer
that is loaded before your application:
```
$ cat config/initializers/strip_tags_fix.rb
class ActionView::Base
def strip_tags(html)
self.class.full_sanitizer.sanitize(html)
end
end
```
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches
for the two supported release series. They are in git-am format and consist
of a single changeset.
* Do-not-unescape-already-escaped-HTML-entities.patch
Credits
-------
Thank you to Arthur Neves from GitHub and Spyros Livathinos from Zendesk for
reporting the problem and working with us to fix it.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2015-7579",
"description": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class.",
"id": "GSD-2015-7579",
"references": [
"https://www.suse.com/security/cve/CVE-2015-7579.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rails-html-sanitizer",
"purl": "pkg:gem/rails-html-sanitizer"
}
}
],
"aliases": [
"CVE-2015-7579",
"GHSA-r9c2-cr39-c8g6"
],
"details": "There is a XSS vulnerability in `Rails::Html::FullSanitizer` used by Action View\u0027s `strip_tags`.\nThis vulnerability has been assigned the CVE identifier CVE-2015-7579.\n\nVersions Affected: 1.0.2\nNot affected: 1.0.0, 1.0.1\nFixed Versions: 1.0.3\n\nImpact\n------\nDue to the way that `Rails::Html::FullSanitizer` is implemented, if an attacker\npasses an already escaped HTML entity to the input of Action View\u0027s `strip_tags`\nthese entities will be unescaped what may cause a XSS attack if used in combination\nwith `raw` or `html_safe`.\n\nFor example:\n\n strip_tags(\"\u0026lt;script\u0026gt;alert(\u0027XSS\u0027)\u0026lt;/script\u0026gt;\")\n\nWould generate:\n\n \u003cscript\u003ealert(\u0027XSS\u0027)\u003c/script\u003e\n\nAfter the fix it will generate:\n\n \u0026lt;script\u0026gt;alert(\u0027XSS\u0027)\u0026lt;/script\u0026gt;\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\nReleases\n--------\nThe FIXED releases are available at the normal locations.\n\nWorkarounds\n-----------\nIf you can\u0027t upgrade, please use the following monkey patch in an initializer\nthat is loaded before your application:\n\n```\n$ cat config/initializers/strip_tags_fix.rb\nclass ActionView::Base\n def strip_tags(html)\n self.class.full_sanitizer.sanitize(html)\n end\nend\n```\n\nPatches\n-------\nTo aid users who aren\u0027t able to upgrade immediately we have provided patches\nfor the two supported release series. They are in git-am format and consist\nof a single changeset.\n\n* Do-not-unescape-already-escaped-HTML-entities.patch\n\nCredits\n-------\nThank you to Arthur Neves from GitHub and Spyros Livathinos from Zendesk for\nreporting the problem and working with us to fix it.\n",
"id": "GSD-2015-7579",
"modified": "2016-01-25T00:00:00.000Z",
"published": "2016-01-25T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/OU9ugTZcbjc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 6.1,
"type": "CVSS_V3"
}
],
"summary": "XSS vulnerability in rails-html-sanitizer"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-7579",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f",
"refsource": "CONFIRM",
"url": "https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f"
},
{
"name": "[ruby-security-ann] 20160125 [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer",
"refsource": "MLIST",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ"
},
{
"name": "FEDORA-2016-3a2606f993",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
},
{
"name": "SUSE-SU-2016:1146",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"name": "1034816",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"name": "[oss-security] 20160125 [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/12"
},
{
"name": "FEDORA-2016-59ce8b61dd",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
},
{
"name": "SUSE-SU-2016:0391",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
},
{
"name": "openSUSE-SU-2016:0356",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2015-7579",
"cvss_v3": 6.1,
"date": "2016-01-25",
"description": "There is a XSS vulnerability in `Rails::Html::FullSanitizer` used by Action View\u0027s `strip_tags`.\nThis vulnerability has been assigned the CVE identifier CVE-2015-7579.\n\nVersions Affected: 1.0.2\nNot affected: 1.0.0, 1.0.1\nFixed Versions: 1.0.3\n\nImpact\n------\nDue to the way that `Rails::Html::FullSanitizer` is implemented, if an attacker\npasses an already escaped HTML entity to the input of Action View\u0027s `strip_tags`\nthese entities will be unescaped what may cause a XSS attack if used in combination\nwith `raw` or `html_safe`.\n\nFor example:\n\n strip_tags(\"\u0026lt;script\u0026gt;alert(\u0027XSS\u0027)\u0026lt;/script\u0026gt;\")\n\nWould generate:\n\n \u003cscript\u003ealert(\u0027XSS\u0027)\u003c/script\u003e\n\nAfter the fix it will generate:\n\n \u0026lt;script\u0026gt;alert(\u0027XSS\u0027)\u0026lt;/script\u0026gt;\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\nReleases\n--------\nThe FIXED releases are available at the normal locations.\n\nWorkarounds\n-----------\nIf you can\u0027t upgrade, please use the following monkey patch in an initializer\nthat is loaded before your application:\n\n```\n$ cat config/initializers/strip_tags_fix.rb\nclass ActionView::Base\n def strip_tags(html)\n self.class.full_sanitizer.sanitize(html)\n end\nend\n```\n\nPatches\n-------\nTo aid users who aren\u0027t able to upgrade immediately we have provided patches\nfor the two supported release series. They are in git-am format and consist\nof a single changeset.\n\n* Do-not-unescape-already-escaped-HTML-entities.patch\n\nCredits\n-------\nThank you to Arthur Neves from GitHub and Spyros Livathinos from Zendesk for\nreporting the problem and working with us to fix it.\n",
"gem": "rails-html-sanitizer",
"ghsa": "r9c2-cr39-c8g6",
"patched_versions": [
"\u003e= 1.0.3"
],
"title": "XSS vulnerability in rails-html-sanitizer",
"unaffected_versions": [
"~\u003e 1.0.0",
"~\u003e 1.0.1"
],
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/OU9ugTZcbjc"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "1.0.2",
"affected_versions": "Version 1.0.2",
"credit": "Arthur Neves from GitHub and Spyros Livathinos from Zendesk",
"cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-79",
"CWE-937"
],
"date": "2019-08-08",
"description": "Due to the way that `Rails::Html::FullSanitizer` is implemented, if an attacker passes an already escaped HTML entity to the input of Action View\u0027s `strip_tags` these entities will be unescaped what may cause a XSS attack if used in combination with `raw` or `html_safe`. ",
"fixed_versions": [
"1.0.3"
],
"identifier": "CVE-2015-7579",
"identifiers": [
"CVE-2015-7579"
],
"not_impacted": "1.0.0, 1.0.1",
"package_slug": "gem/rails-html-sanitizer",
"pubdate": "2016-02-15",
"solution": "Upgrade to latest, apply patch or use workaround. See provided link.",
"title": "XSS vulnerability in strip_tags",
"urls": [
"https://groups.google.com/forum/#!topic/rubyonrails-security/OU9ugTZcbjc"
],
"uuid": "7cff9cf7-f7d3-4b5e-b741-884dee49e1b0"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:html_sanitizer:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndIncluding": "1.0.2",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1.1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.6:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.5.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-7579"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20160125 [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer",
"refsource": "MLIST",
"tags": [],
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/12"
},
{
"name": "[ruby-security-ann] 20160125 [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer",
"refsource": "MLIST",
"tags": [],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ"
},
{
"name": "https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f",
"refsource": "CONFIRM",
"tags": [],
"url": "https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f"
},
{
"name": "SUSE-SU-2016:1146",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"name": "FEDORA-2016-3a2606f993",
"refsource": "FEDORA",
"tags": [],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
},
{
"name": "FEDORA-2016-59ce8b61dd",
"refsource": "FEDORA",
"tags": [],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
},
{
"name": "openSUSE-SU-2016:0356",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
},
{
"name": "SUSE-SU-2016:0391",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
},
{
"name": "1034816",
"refsource": "SECTRACK",
"tags": [],
"url": "http://www.securitytracker.com/id/1034816"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7
}
},
"lastModifiedDate": "2019-08-08T15:16Z",
"publishedDate": "2016-02-16T02:59Z"
}
}
}
OPENSUSE-SU-2024:10189-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2 on GA media
Severity
Moderate
Notes
Title of the patch: ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2 on GA media
Description of the patch: These are all security issues fixed in the ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-10189
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.1 (Medium)
Affected products
Recommended
24 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.1 (Medium)
Affected products
Recommended
24 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.1 (Medium)
Affected products
Recommended
24 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
15 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-10189",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_10189-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-7578 page",
"url": "https://www.suse.com/security/cve/CVE-2015-7578/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-7579 page",
"url": "https://www.suse.com/security/cve/CVE-2015-7579/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-7580 page",
"url": "https://www.suse.com/security/cve/CVE-2015-7580/"
}
],
"title": "ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:10189-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64",
"product": {
"name": "ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64",
"product_id": "ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64"
}
},
{
"category": "product_version",
"name": "ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64",
"product": {
"name": "ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64",
"product_id": "ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64"
}
},
{
"category": "product_version",
"name": "ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64",
"product": {
"name": "ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64",
"product_id": "ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64"
}
},
{
"category": "product_version",
"name": "ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64",
"product": {
"name": "ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64",
"product_id": "ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64"
}
},
{
"category": "product_version",
"name": "ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64",
"product": {
"name": "ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64",
"product_id": "ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64"
}
},
{
"category": "product_version",
"name": "ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64",
"product": {
"name": "ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64",
"product_id": "ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le",
"product": {
"name": "ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le",
"product_id": "ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le"
}
},
{
"category": "product_version",
"name": "ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le",
"product": {
"name": "ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le",
"product_id": "ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le"
}
},
{
"category": "product_version",
"name": "ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le",
"product": {
"name": "ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le",
"product_id": "ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le"
}
},
{
"category": "product_version",
"name": "ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le",
"product": {
"name": "ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le",
"product_id": "ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le"
}
},
{
"category": "product_version",
"name": "ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le",
"product": {
"name": "ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le",
"product_id": "ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le"
}
},
{
"category": "product_version",
"name": "ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le",
"product": {
"name": "ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le",
"product_id": "ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x",
"product": {
"name": "ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x",
"product_id": "ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x"
}
},
{
"category": "product_version",
"name": "ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x",
"product": {
"name": "ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x",
"product_id": "ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x"
}
},
{
"category": "product_version",
"name": "ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x",
"product": {
"name": "ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x",
"product_id": "ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x"
}
},
{
"category": "product_version",
"name": "ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x",
"product": {
"name": "ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x",
"product_id": "ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x"
}
},
{
"category": "product_version",
"name": "ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x",
"product": {
"name": "ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x",
"product_id": "ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x"
}
},
{
"category": "product_version",
"name": "ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x",
"product": {
"name": "ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x",
"product_id": "ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64",
"product": {
"name": "ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64",
"product_id": "ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64"
}
},
{
"category": "product_version",
"name": "ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64",
"product": {
"name": "ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64",
"product_id": "ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64"
}
},
{
"category": "product_version",
"name": "ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64",
"product": {
"name": "ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64",
"product_id": "ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64"
}
},
{
"category": "product_version",
"name": "ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64",
"product": {
"name": "ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64",
"product_id": "ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64"
}
},
{
"category": "product_version",
"name": "ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64",
"product": {
"name": "ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64",
"product_id": "ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64"
}
},
{
"category": "product_version",
"name": "ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64",
"product": {
"name": "ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64",
"product_id": "ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64"
},
"product_reference": "ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le"
},
"product_reference": "ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x"
},
"product_reference": "ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64"
},
"product_reference": "ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64"
},
"product_reference": "ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le"
},
"product_reference": "ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x"
},
"product_reference": "ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64"
},
"product_reference": "ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64"
},
"product_reference": "ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le"
},
"product_reference": "ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x"
},
"product_reference": "ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64"
},
"product_reference": "ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64"
},
"product_reference": "ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le"
},
"product_reference": "ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x"
},
"product_reference": "ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64"
},
"product_reference": "ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64"
},
"product_reference": "ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le"
},
"product_reference": "ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x"
},
"product_reference": "ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64"
},
"product_reference": "ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64"
},
"product_reference": "ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le"
},
"product_reference": "ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x"
},
"product_reference": "ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64"
},
"product_reference": "ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-7578",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-7578"
}
],
"notes": [
{
"category": "general",
"text": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-7578",
"url": "https://www.suse.com/security/cve/CVE-2015-7578"
},
{
"category": "external",
"summary": "SUSE Bug 963326 for CVE-2015-7578",
"url": "https://bugzilla.suse.com/963326"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2015-7578"
},
{
"cve": "CVE-2015-7579",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-7579"
}
],
"notes": [
{
"category": "general",
"text": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-7579",
"url": "https://www.suse.com/security/cve/CVE-2015-7579"
},
{
"category": "external",
"summary": "SUSE Bug 963326 for CVE-2015-7579",
"url": "https://bugzilla.suse.com/963326"
},
{
"category": "external",
"summary": "SUSE Bug 963327 for CVE-2015-7579",
"url": "https://bugzilla.suse.com/963327"
},
{
"category": "external",
"summary": "SUSE Bug 963328 for CVE-2015-7579",
"url": "https://bugzilla.suse.com/963328"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2015-7579"
},
{
"cve": "CVE-2015-7580",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-7580"
}
],
"notes": [
{
"category": "general",
"text": "Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-7580",
"url": "https://www.suse.com/security/cve/CVE-2015-7580"
},
{
"category": "external",
"summary": "SUSE Bug 963326 for CVE-2015-7580",
"url": "https://bugzilla.suse.com/963326"
},
{
"category": "external",
"summary": "SUSE Bug 963327 for CVE-2015-7580",
"url": "https://bugzilla.suse.com/963327"
},
{
"category": "external",
"summary": "SUSE Bug 963328 for CVE-2015-7580",
"url": "https://bugzilla.suse.com/963328"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.2-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-doc-1.0.3-1.2.x86_64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.s390x",
"openSUSE Tumbleweed:ruby2.3-rubygem-rails-html-sanitizer-testsuite-1.0.3-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2015-7580"
}
]
}
OPENSUSE-SU-2024:11349-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2 on GA media
Severity
Moderate
Notes
Title of the patch: ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2 on GA media
Description of the patch: These are all security issues fixed in the ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-11349
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.1 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.1 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.1 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.5 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
19 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-11349",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11349-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-7578 page",
"url": "https://www.suse.com/security/cve/CVE-2015-7578/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-7579 page",
"url": "https://www.suse.com/security/cve/CVE-2015-7579/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-7580 page",
"url": "https://www.suse.com/security/cve/CVE-2015-7580/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-3741 page",
"url": "https://www.suse.com/security/cve/CVE-2018-3741/"
}
],
"title": "ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:11349-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"product": {
"name": "ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"product_id": "ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64"
}
},
{
"category": "product_version",
"name": "ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"product": {
"name": "ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"product_id": "ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"product": {
"name": "ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"product_id": "ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le"
}
},
{
"category": "product_version",
"name": "ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"product": {
"name": "ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"product_id": "ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"product": {
"name": "ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"product_id": "ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x"
}
},
{
"category": "product_version",
"name": "ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"product": {
"name": "ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"product_id": "ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64",
"product": {
"name": "ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64",
"product_id": "ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64"
}
},
{
"category": "product_version",
"name": "ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64",
"product": {
"name": "ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64",
"product_id": "ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64"
},
"product_reference": "ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le"
},
"product_reference": "ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x"
},
"product_reference": "ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64"
},
"product_reference": "ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64"
},
"product_reference": "ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le"
},
"product_reference": "ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x"
},
"product_reference": "ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64"
},
"product_reference": "ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-7578",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-7578"
}
],
"notes": [
{
"category": "general",
"text": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-7578",
"url": "https://www.suse.com/security/cve/CVE-2015-7578"
},
{
"category": "external",
"summary": "SUSE Bug 963326 for CVE-2015-7578",
"url": "https://bugzilla.suse.com/963326"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2015-7578"
},
{
"cve": "CVE-2015-7579",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-7579"
}
],
"notes": [
{
"category": "general",
"text": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-7579",
"url": "https://www.suse.com/security/cve/CVE-2015-7579"
},
{
"category": "external",
"summary": "SUSE Bug 963326 for CVE-2015-7579",
"url": "https://bugzilla.suse.com/963326"
},
{
"category": "external",
"summary": "SUSE Bug 963327 for CVE-2015-7579",
"url": "https://bugzilla.suse.com/963327"
},
{
"category": "external",
"summary": "SUSE Bug 963328 for CVE-2015-7579",
"url": "https://bugzilla.suse.com/963328"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2015-7579"
},
{
"cve": "CVE-2015-7580",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-7580"
}
],
"notes": [
{
"category": "general",
"text": "Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-7580",
"url": "https://www.suse.com/security/cve/CVE-2015-7580"
},
{
"category": "external",
"summary": "SUSE Bug 963326 for CVE-2015-7580",
"url": "https://bugzilla.suse.com/963326"
},
{
"category": "external",
"summary": "SUSE Bug 963327 for CVE-2015-7580",
"url": "https://bugzilla.suse.com/963327"
},
{
"category": "external",
"summary": "SUSE Bug 963328 for CVE-2015-7580",
"url": "https://bugzilla.suse.com/963328"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2015-7580"
},
{
"cve": "CVE-2018-3741",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-3741"
}
],
"notes": [
{
"category": "general",
"text": "There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-3741",
"url": "https://www.suse.com/security/cve/CVE-2018-3741"
},
{
"category": "external",
"summary": "SUSE Bug 1085967 for CVE-2018-3741",
"url": "https://bugzilla.suse.com/1085967"
},
{
"category": "external",
"summary": "SUSE Bug 1086598 for CVE-2018-3741",
"url": "https://bugzilla.suse.com/1086598"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"openSUSE Tumbleweed:ruby2.7-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.aarch64",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.ppc64le",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.s390x",
"openSUSE Tumbleweed:ruby3.0-rubygem-rails-html-sanitizer-1.4.2-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2018-3741"
}
]
}
OPENSUSE-SU-2024:12145-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1 on GA media
Description of the patch: These are all security issues fixed in the ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-12145
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.1 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.1 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.1 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
23 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12145",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12145-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-7578 page",
"url": "https://www.suse.com/security/cve/CVE-2015-7578/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-7579 page",
"url": "https://www.suse.com/security/cve/CVE-2015-7579/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-7580 page",
"url": "https://www.suse.com/security/cve/CVE-2015-7580/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-3741 page",
"url": "https://www.suse.com/security/cve/CVE-2018-3741/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-32209 page",
"url": "https://www.suse.com/security/cve/CVE-2022-32209/"
}
],
"title": "ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12145-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.aarch64",
"product": {
"name": "ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.aarch64",
"product_id": "ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.ppc64le",
"product": {
"name": "ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.ppc64le",
"product_id": "ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.s390x",
"product": {
"name": "ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.s390x",
"product_id": "ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.x86_64",
"product": {
"name": "ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.x86_64",
"product_id": "ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.aarch64"
},
"product_reference": "ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.ppc64le"
},
"product_reference": "ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.s390x"
},
"product_reference": "ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.x86_64"
},
"product_reference": "ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-7578",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-7578"
}
],
"notes": [
{
"category": "general",
"text": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-7578",
"url": "https://www.suse.com/security/cve/CVE-2015-7578"
},
{
"category": "external",
"summary": "SUSE Bug 963326 for CVE-2015-7578",
"url": "https://bugzilla.suse.com/963326"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2015-7578"
},
{
"cve": "CVE-2015-7579",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-7579"
}
],
"notes": [
{
"category": "general",
"text": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-7579",
"url": "https://www.suse.com/security/cve/CVE-2015-7579"
},
{
"category": "external",
"summary": "SUSE Bug 963326 for CVE-2015-7579",
"url": "https://bugzilla.suse.com/963326"
},
{
"category": "external",
"summary": "SUSE Bug 963327 for CVE-2015-7579",
"url": "https://bugzilla.suse.com/963327"
},
{
"category": "external",
"summary": "SUSE Bug 963328 for CVE-2015-7579",
"url": "https://bugzilla.suse.com/963328"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2015-7579"
},
{
"cve": "CVE-2015-7580",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-7580"
}
],
"notes": [
{
"category": "general",
"text": "Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-7580",
"url": "https://www.suse.com/security/cve/CVE-2015-7580"
},
{
"category": "external",
"summary": "SUSE Bug 963326 for CVE-2015-7580",
"url": "https://bugzilla.suse.com/963326"
},
{
"category": "external",
"summary": "SUSE Bug 963327 for CVE-2015-7580",
"url": "https://bugzilla.suse.com/963327"
},
{
"category": "external",
"summary": "SUSE Bug 963328 for CVE-2015-7580",
"url": "https://bugzilla.suse.com/963328"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2015-7580"
},
{
"cve": "CVE-2018-3741",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-3741"
}
],
"notes": [
{
"category": "general",
"text": "There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-3741",
"url": "https://www.suse.com/security/cve/CVE-2018-3741"
},
{
"category": "external",
"summary": "SUSE Bug 1085967 for CVE-2018-3741",
"url": "https://bugzilla.suse.com/1085967"
},
{
"category": "external",
"summary": "SUSE Bug 1086598 for CVE-2018-3741",
"url": "https://bugzilla.suse.com/1086598"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2018-3741"
},
{
"cve": "CVE-2022-32209",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-32209"
}
],
"notes": [
{
"category": "general",
"text": "# Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.This vulnerability has been assigned the CVE identifier CVE-2022-32209.Versions Affected: ALLNot affected: NONEFixed Versions: v1.4.3## ImpactA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer\u0027s allowed tags to allow both `select` and `style` elements.Code is only impacted if allowed tags are being overridden. This may be done via application configuration:```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = [\"select\", \"style\"]```see https://guides.rubyonrails.org/configuring.html#configuring-action-viewOr it may be done with a `:tags` option to the Action View helper `sanitize`:```\u003c%= sanitize @comment.body, tags: [\"select\", \"style\"] %\u003e```see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitizeOr it may be done with Rails::Html::SafeListSanitizer directly:```ruby# class-level optionRails::Html::SafeListSanitizer.allowed_tags = [\"select\", \"style\"]```or```ruby# instance-level optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [\"select\", \"style\"])```All users overriding the allowed tags by any of the above mechanisms to include both \"select\" and \"style\" should either upgrade or use one of the workarounds immediately.## ReleasesThe FIXED releases are available at the normal locations.## WorkaroundsRemove either `select` or `style` from the overridden allowed tags.## CreditsThis vulnerability was responsibly reported by [windshock](https://hackerone.com/windshock?type=user).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-32209",
"url": "https://www.suse.com/security/cve/CVE-2022-32209"
},
{
"category": "external",
"summary": "SUSE Bug 1201183 for CVE-2022-32209",
"url": "https://bugzilla.suse.com/1201183"
},
{
"category": "external",
"summary": "SUSE Bug 1206436 for CVE-2022-32209",
"url": "https://bugzilla.suse.com/1206436"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-rails-html-sanitizer-1.4.3-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-32209"
}
]
}
OPENSUSE-SU-2024:13137-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1 on GA media
Severity
Moderate
Notes
Title of the patch: ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1 on GA media
Description of the patch: These are all security issues fixed in the ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-13137
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.1 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.1 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.1 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
23 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-13137",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13137-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-7578 page",
"url": "https://www.suse.com/security/cve/CVE-2015-7578/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-7579 page",
"url": "https://www.suse.com/security/cve/CVE-2015-7579/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-7580 page",
"url": "https://www.suse.com/security/cve/CVE-2015-7580/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-3741 page",
"url": "https://www.suse.com/security/cve/CVE-2018-3741/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-32209 page",
"url": "https://www.suse.com/security/cve/CVE-2022-32209/"
}
],
"title": "ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:13137-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.aarch64",
"product": {
"name": "ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.aarch64",
"product_id": "ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.ppc64le",
"product": {
"name": "ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.ppc64le",
"product_id": "ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.s390x",
"product": {
"name": "ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.s390x",
"product_id": "ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.x86_64",
"product": {
"name": "ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.x86_64",
"product_id": "ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.aarch64"
},
"product_reference": "ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.ppc64le"
},
"product_reference": "ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.s390x"
},
"product_reference": "ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.x86_64"
},
"product_reference": "ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-7578",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-7578"
}
],
"notes": [
{
"category": "general",
"text": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-7578",
"url": "https://www.suse.com/security/cve/CVE-2015-7578"
},
{
"category": "external",
"summary": "SUSE Bug 963326 for CVE-2015-7578",
"url": "https://bugzilla.suse.com/963326"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2015-7578"
},
{
"cve": "CVE-2015-7579",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-7579"
}
],
"notes": [
{
"category": "general",
"text": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-7579",
"url": "https://www.suse.com/security/cve/CVE-2015-7579"
},
{
"category": "external",
"summary": "SUSE Bug 963326 for CVE-2015-7579",
"url": "https://bugzilla.suse.com/963326"
},
{
"category": "external",
"summary": "SUSE Bug 963327 for CVE-2015-7579",
"url": "https://bugzilla.suse.com/963327"
},
{
"category": "external",
"summary": "SUSE Bug 963328 for CVE-2015-7579",
"url": "https://bugzilla.suse.com/963328"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2015-7579"
},
{
"cve": "CVE-2015-7580",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-7580"
}
],
"notes": [
{
"category": "general",
"text": "Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-7580",
"url": "https://www.suse.com/security/cve/CVE-2015-7580"
},
{
"category": "external",
"summary": "SUSE Bug 963326 for CVE-2015-7580",
"url": "https://bugzilla.suse.com/963326"
},
{
"category": "external",
"summary": "SUSE Bug 963327 for CVE-2015-7580",
"url": "https://bugzilla.suse.com/963327"
},
{
"category": "external",
"summary": "SUSE Bug 963328 for CVE-2015-7580",
"url": "https://bugzilla.suse.com/963328"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2015-7580"
},
{
"cve": "CVE-2018-3741",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-3741"
}
],
"notes": [
{
"category": "general",
"text": "There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-3741",
"url": "https://www.suse.com/security/cve/CVE-2018-3741"
},
{
"category": "external",
"summary": "SUSE Bug 1085967 for CVE-2018-3741",
"url": "https://bugzilla.suse.com/1085967"
},
{
"category": "external",
"summary": "SUSE Bug 1086598 for CVE-2018-3741",
"url": "https://bugzilla.suse.com/1086598"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2018-3741"
},
{
"cve": "CVE-2022-32209",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-32209"
}
],
"notes": [
{
"category": "general",
"text": "# Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.This vulnerability has been assigned the CVE identifier CVE-2022-32209.Versions Affected: ALLNot affected: NONEFixed Versions: v1.4.3## ImpactA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer\u0027s allowed tags to allow both `select` and `style` elements.Code is only impacted if allowed tags are being overridden. This may be done via application configuration:```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = [\"select\", \"style\"]```see https://guides.rubyonrails.org/configuring.html#configuring-action-viewOr it may be done with a `:tags` option to the Action View helper `sanitize`:```\u003c%= sanitize @comment.body, tags: [\"select\", \"style\"] %\u003e```see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitizeOr it may be done with Rails::Html::SafeListSanitizer directly:```ruby# class-level optionRails::Html::SafeListSanitizer.allowed_tags = [\"select\", \"style\"]```or```ruby# instance-level optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [\"select\", \"style\"])```All users overriding the allowed tags by any of the above mechanisms to include both \"select\" and \"style\" should either upgrade or use one of the workarounds immediately.## ReleasesThe FIXED releases are available at the normal locations.## WorkaroundsRemove either `select` or `style` from the overridden allowed tags.## CreditsThis vulnerability was responsibly reported by [windshock](https://hackerone.com/windshock?type=user).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-32209",
"url": "https://www.suse.com/security/cve/CVE-2022-32209"
},
{
"category": "external",
"summary": "SUSE Bug 1201183 for CVE-2022-32209",
"url": "https://bugzilla.suse.com/1201183"
},
{
"category": "external",
"summary": "SUSE Bug 1206436 for CVE-2022-32209",
"url": "https://bugzilla.suse.com/1206436"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-rails-html-sanitizer-1.5.0-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-32209"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…