GSD-2013-6415
Vulnerability from gsd - Updated: 2013-12-03 00:00Details
There is an XSS vulnerability in the number_to_currency helper in Ruby on Raile.
The number_to_currency helper allows users to nicely format a numeric value. One
of the parameters to the helper (unit) is not escaped correctly. Applications
which pass user controlled data as the unit parameter are vulnerable to an XSS attack.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-6415",
"description": "Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter.",
"id": "GSD-2013-6415",
"references": [
"https://www.suse.com/security/cve/CVE-2013-6415.html",
"https://www.debian.org/security/2014/dsa-2888",
"https://access.redhat.com/errata/RHSA-2014:1863",
"https://access.redhat.com/errata/RHSA-2014:0008",
"https://access.redhat.com/errata/RHSA-2013:1794"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "actionpack",
"purl": "pkg:gem/actionpack"
}
}
],
"aliases": [
"CVE-2013-6415",
"OSVDB-100524"
],
"details": "There is an XSS vulnerability in the number_to_currency helper in Ruby on Raile.\nThe number_to_currency helper allows users to nicely format a numeric value. One\nof the parameters to the helper (unit) is not escaped correctly. Applications\nwhich pass user controlled data as the unit parameter are vulnerable to an XSS attack.\n",
"id": "GSD-2013-6415",
"modified": "2013-12-03T00:00:00.000Z",
"published": "2013-12-03T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/ruby-security-ann/9WiRn2nhfq0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 4.3,
"type": "CVSS_V2"
}
],
"summary": "XSS Vulnerability in number_to_currency"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-6415",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2014:0008",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0008.html"
},
{
"name": "openSUSE-SU-2013:1906",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html"
},
{
"name": "https://puppet.com/security/cve/cve-2013-6415",
"refsource": "CONFIRM",
"url": "https://puppet.com/security/cve/cve-2013-6415"
},
{
"name": "openSUSE-SU-2014:0019",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html"
},
{
"name": "openSUSE-SU-2014:0009",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"name": "openSUSE-SU-2013:1905",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00080.html"
},
{
"name": "openSUSE-SU-2013:1907",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html"
},
{
"name": "openSUSE-SU-2013:1904",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html"
},
{
"name": "[ruby-security-ann] 20131203 [CVE-2013-6415] XSS Vulnerability in number_to_currency",
"refsource": "MLIST",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ"
},
{
"name": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/",
"refsource": "CONFIRM",
"url": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/"
},
{
"name": "RHSA-2014:1863",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"name": "RHSA-2013:1794",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1794.html"
},
{
"name": "64077",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/64077"
},
{
"name": "56093",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/56093"
},
{
"name": "DSA-2888",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-2888"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-6415",
"cvss_v2": 4.3,
"date": "2013-12-03",
"description": "There is an XSS vulnerability in the number_to_currency helper in Ruby on Raile.\nThe number_to_currency helper allows users to nicely format a numeric value. One\nof the parameters to the helper (unit) is not escaped correctly. Applications\nwhich pass user controlled data as the unit parameter are vulnerable to an XSS attack.\n",
"framework": "rails",
"gem": "actionpack",
"osvdb": 100524,
"patched_versions": [
"~\u003e 3.2.16",
"\u003e= 4.0.2"
],
"title": "XSS Vulnerability in number_to_currency",
"url": "https://groups.google.com/forum/#!topic/ruby-security-ann/9WiRn2nhfq0"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c3.2.16||\u003e=4.0.0 \u003c4.0.2",
"affected_versions": "All versions before 3.2.16, all versions starting from 4.0.0 before 4.0.2",
"credit": "Ankit Gupta",
"cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-79",
"CWE-937"
],
"date": "2019-08-08",
"description": "The number_to_currency helper allows users to nicely format a numeric value. The unit parameter is not escaped correctly. Application which pass user controlled data as the unit parameter are vulnerable to an XSS attack.",
"fixed_versions": [
"3.2.16",
"4.0.2"
],
"identifier": "CVE-2013-6415",
"identifiers": [
"CVE-2013-6415"
],
"not_impacted": "You\u0027re not impacted if your application does not pass unescaped user controlled data as the unit parameter.",
"package_slug": "gem/actionpack",
"pubdate": "2013-12-06",
"solution": "Upgrade to latest or escape user controlled data passed at the unit parameter like this: \u003c%= number_to_currency(1.02, unit: h(params[:currency])) %\u003e ",
"title": "XSS Vulnerability in number_to_currency",
"urls": [
"http://seclists.org/oss-sec/2013/q4/402"
],
"uuid": "d645c583-f278-4ba6-909e-9f75800fce1e"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "3.2.15",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.1.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:-:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "4.0.1",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-6415"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[ruby-security-ann] 20131203 [CVE-2013-6415] XSS Vulnerability in number_to_currency",
"refsource": "MLIST",
"tags": [],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ"
},
{
"name": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/"
},
{
"name": "RHSA-2013:1794",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1794.html"
},
{
"name": "openSUSE-SU-2013:1904",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html"
},
{
"name": "openSUSE-SU-2013:1906",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html"
},
{
"name": "openSUSE-SU-2013:1907",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html"
},
{
"name": "openSUSE-SU-2014:0009",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"name": "56093",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/56093"
},
{
"name": "openSUSE-SU-2014:0019",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html"
},
{
"name": "RHSA-2014:0008",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0008.html"
},
{
"name": "openSUSE-SU-2013:1905",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00080.html"
},
{
"name": "DSA-2888",
"refsource": "DEBIAN",
"tags": [],
"url": "http://www.debian.org/security/2014/dsa-2888"
},
{
"name": "RHSA-2014:1863",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"name": "64077",
"refsource": "BID",
"tags": [],
"url": "http://www.securityfocus.com/bid/64077"
},
{
"name": "https://puppet.com/security/cve/cve-2013-6415",
"refsource": "CONFIRM",
"tags": [],
"url": "https://puppet.com/security/cve/cve-2013-6415"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
}
},
"lastModifiedDate": "2019-08-08T15:42Z",
"publishedDate": "2013-12-07T00:55Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…