Lucene search
HistorySep 07, 2016 - 7:28 p.m.
CVE-2016-6316
cve-2016-6316
cross-site scripting
xss
ruby on rails
security
vulnerability
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 Medium
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
59.8%
Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as “HTML safe” and used as attribute values in tag handlers.
Affected configurations
Node
rubyonrailsrailsMatch3.0.0
ORrubyonrailsrailsMatch3.0.0beta
ORrubyonrailsrailsMatch3.0.0beta2
ORrubyonrailsrailsMatch3.0.0beta3
ORrubyonrailsrailsMatch3.0.0beta4
ORrubyonrailsrailsMatch3.0.0rc
ORrubyonrailsrailsMatch3.0.0rc2
ORrubyonrailsrailsMatch3.0.1
ORrubyonrailsrailsMatch3.0.2
ORrubyonrailsrailsMatch3.0.3
ORrubyonrailsrailsMatch3.0.4rc1
ORrubyonrailsrailsMatch3.0.5
ORrubyonrailsrailsMatch3.0.5rc1
ORrubyonrailsrailsMatch3.0.6
ORrubyonrailsrailsMatch3.0.6rc1
ORrubyonrailsrailsMatch3.0.6rc2
ORrubyonrailsrailsMatch3.0.7
ORrubyonrailsrailsMatch3.0.7rc1
ORrubyonrailsrailsMatch3.0.7rc2
ORrubyonrailsrailsMatch3.0.8
ORrubyonrailsrailsMatch3.0.8rc1
ORrubyonrailsrailsMatch3.0.8rc2
ORrubyonrailsrailsMatch3.0.8rc3
ORrubyonrailsrailsMatch3.0.8rc4
ORrubyonrailsrailsMatch3.0.9
ORrubyonrailsrailsMatch3.0.9rc1
ORrubyonrailsrailsMatch3.0.9rc2
ORrubyonrailsrailsMatch3.0.9rc3
ORrubyonrailsrailsMatch3.0.9rc4
ORrubyonrailsrailsMatch3.0.9rc5
ORrubyonrailsrailsMatch3.0.10
ORrubyonrailsrailsMatch3.0.10rc1
ORrubyonrailsrailsMatch3.0.11
ORrubyonrailsrailsMatch3.0.12
ORrubyonrailsrailsMatch3.0.12rc1
ORrubyonrailsrailsMatch3.0.13
ORrubyonrailsrailsMatch3.0.13rc1
ORrubyonrailsrailsMatch3.0.14
ORrubyonrailsrailsMatch3.0.16
ORrubyonrailsrailsMatch3.0.17
ORrubyonrailsrailsMatch3.0.18
ORrubyonrailsrailsMatch3.0.19
ORrubyonrailsrailsMatch3.0.20
ORrubyonrailsrailsMatch3.1.0
ORrubyonrailsrailsMatch3.1.0beta1
ORrubyonrailsrailsMatch3.1.0rc1
ORrubyonrailsrailsMatch3.1.0rc2
ORrubyonrailsrailsMatch3.1.0rc3
ORrubyonrailsrailsMatch3.1.0rc4
ORrubyonrailsrailsMatch3.1.0rc5
ORrubyonrailsrailsMatch3.1.0rc6
ORrubyonrailsrailsMatch3.1.0rc7
ORrubyonrailsrailsMatch3.1.0rc8
ORrubyonrailsrailsMatch3.1.1
ORrubyonrailsrailsMatch3.1.1rc1
ORrubyonrailsrailsMatch3.1.1rc2
ORrubyonrailsrailsMatch3.1.1rc3
ORrubyonrailsrailsMatch3.1.2
ORrubyonrailsrailsMatch3.1.2rc1
ORrubyonrailsrailsMatch3.1.2rc2
ORrubyonrailsrailsMatch3.1.3
ORrubyonrailsrailsMatch3.1.4
ORrubyonrailsrailsMatch3.1.4rc1
ORrubyonrailsrailsMatch3.1.5
ORrubyonrailsrailsMatch3.1.5rc1
ORrubyonrailsrailsMatch3.1.6
ORrubyonrailsrailsMatch3.1.7
ORrubyonrailsrailsMatch3.1.8
ORrubyonrailsrailsMatch3.1.9
ORrubyonrailsrailsMatch3.1.10
ORrubyonrailsrailsMatch3.1.12
ORrubyonrailsrailsMatch3.2.0
ORrubyonrailsrailsMatch3.2.0rc1
ORrubyonrailsrailsMatch3.2.0rc2
ORrubyonrailsrailsMatch3.2.1
ORrubyonrailsrailsMatch3.2.2
ORrubyonrailsrailsMatch3.2.2rc1
ORrubyonrailsrailsMatch3.2.3
ORrubyonrailsrailsMatch3.2.3rc1
ORrubyonrailsrailsMatch3.2.3rc2
ORrubyonrailsrailsMatch3.2.4
ORrubyonrailsrailsMatch3.2.4rc1
ORrubyonrailsrailsMatch3.2.5
ORrubyonrailsrailsMatch3.2.6
ORrubyonrailsrailsMatch3.2.7
ORrubyonrailsrailsMatch3.2.7rc1
ORrubyonrailsrailsMatch3.2.8
ORrubyonrailsrailsMatch3.2.8rc1
ORrubyonrailsrailsMatch3.2.8rc2
ORrubyonrailsrailsMatch3.2.9
ORrubyonrailsrailsMatch3.2.9rc1
ORrubyonrailsrailsMatch3.2.9rc2
ORrubyonrailsrailsMatch3.2.9rc3
ORrubyonrailsrailsMatch3.2.10
ORrubyonrailsrailsMatch3.2.11
ORrubyonrailsrailsMatch3.2.12
ORrubyonrailsrailsMatch3.2.13
ORrubyonrailsrailsMatch3.2.13rc1
ORrubyonrailsrailsMatch3.2.13rc2
ORrubyonrailsrailsMatch3.2.15
ORrubyonrailsrailsMatch3.2.15rc3
ORrubyonrailsrailsMatch3.2.16
ORrubyonrailsrailsMatch3.2.17
ORrubyonrailsrailsMatch3.2.18
ORrubyonrailsrailsMatch3.2.21
ORrubyonrailsrailsMatch3.2.22.2
ORrubyonrailsrailsMatch4.0.0-
ORrubyonrailsrailsMatch4.0.0beta
ORrubyonrailsrailsMatch4.0.0rc1
ORrubyonrailsrailsMatch4.0.0rc2
ORrubyonrailsrailsMatch4.0.1-
ORrubyonrailsrailsMatch4.0.1rc1
ORrubyonrailsrailsMatch4.0.1rc2
ORrubyonrailsrailsMatch4.0.1rc3
ORrubyonrailsrailsMatch4.0.1rc4
ORrubyonrailsrailsMatch4.0.2
ORrubyonrailsrailsMatch4.0.3
ORrubyonrailsrailsMatch4.0.4
ORrubyonrailsrailsMatch4.0.4rc1
ORrubyonrailsrailsMatch4.0.5
ORrubyonrailsrailsMatch4.0.6
ORrubyonrailsrailsMatch4.0.6rc1
ORrubyonrailsrailsMatch4.0.6rc2
ORrubyonrailsrailsMatch4.0.6rc3
ORrubyonrailsrailsMatch4.0.7
ORrubyonrailsrailsMatch4.0.8
ORrubyonrailsrailsMatch4.0.9
ORrubyonrailsrailsMatch4.0.10
ORrubyonrailsrailsMatch4.0.10rc1
ORrubyonrailsrailsMatch4.1.0-
ORrubyonrailsrailsMatch4.1.0beta1
ORrubyonrailsrailsMatch4.1.0beta2
ORrubyonrailsrailsMatch4.1.0rc1
ORrubyonrailsrailsMatch4.1.0rc2
ORrubyonrailsrailsMatch4.1.1
ORrubyonrailsrailsMatch4.1.2
ORrubyonrailsrailsMatch4.1.2rc1
ORrubyonrailsrailsMatch4.1.2rc2
ORrubyonrailsrailsMatch4.1.2rc3
ORrubyonrailsrailsMatch4.1.3
ORrubyonrailsrailsMatch4.1.4
ORrubyonrailsrailsMatch4.1.5
ORrubyonrailsrailsMatch4.1.6
ORrubyonrailsrailsMatch4.1.6rc1
ORrubyonrailsrailsMatch4.1.6rc2
ORrubyonrailsrailsMatch4.1.7
ORrubyonrailsrailsMatch4.1.7.1
ORrubyonrailsrailsMatch4.1.8
ORrubyonrailsrailsMatch4.1.9
ORrubyonrailsrailsMatch4.1.9rc1
ORrubyonrailsrailsMatch4.1.10
ORrubyonrailsrailsMatch4.1.10rc1
ORrubyonrailsrailsMatch4.1.10rc2
ORrubyonrailsrailsMatch4.1.10rc3
ORrubyonrailsrailsMatch4.1.10rc4
ORrubyonrailsrailsMatch4.1.12
ORrubyonrailsrailsMatch4.1.12rc1
ORrubyonrailsrailsMatch4.1.13
ORrubyonrailsrailsMatch4.1.13rc1
ORrubyonrailsrailsMatch4.1.14
ORrubyonrailsrailsMatch4.1.14rc1
ORrubyonrailsrailsMatch4.1.14rc2
ORrubyonrailsrailsMatch4.1.14.2
ORrubyonrailsrailsMatch4.1.15
ORrubyonrailsrailsMatch4.1.15rc1
ORrubyonrailsrailsMatch4.1.16
ORrubyonrailsrailsMatch4.1.16rc1
ORrubyonrailsrailsMatch4.2.0
ORrubyonrailsrailsMatch4.2.0beta1
ORrubyonrailsrailsMatch4.2.0beta2
ORrubyonrailsrailsMatch4.2.0beta3
ORrubyonrailsrailsMatch4.2.0beta4
ORrubyonrailsrailsMatch4.2.0rc1
ORrubyonrailsrailsMatch4.2.0rc2
ORrubyonrailsrailsMatch4.2.0rc3
ORrubyonrailsrailsMatch4.2.1
ORrubyonrailsrailsMatch4.2.1rc1
ORrubyonrailsrailsMatch4.2.1rc2
ORrubyonrailsrailsMatch4.2.1rc3
ORrubyonrailsrailsMatch4.2.1rc4
ORrubyonrailsrailsMatch4.2.2
ORrubyonrailsrailsMatch4.2.3
ORrubyonrailsrailsMatch4.2.3rc1
ORrubyonrailsrailsMatch4.2.4
ORrubyonrailsrailsMatch4.2.4rc1
ORrubyonrailsrailsMatch4.2.5
ORrubyonrailsrailsMatch4.2.5rc1
ORrubyonrailsrailsMatch4.2.5rc2
ORrubyonrailsrailsMatch4.2.5.1
ORrubyonrailsrailsMatch4.2.5.2
ORrubyonrailsrailsMatch4.2.6
ORrubyonrailsrailsMatch4.2.6rc1
ORrubyonrailsrailsMatch4.2.7
ORrubyonrailsrailsMatch4.2.7rc1
ORrubyonrailsrailsMatch5.0.0beta1
ORrubyonrailsrailsMatch5.0.0beta1.1
ORrubyonrailsrailsMatch5.0.0beta2
ORrubyonrailsrailsMatch5.0.0beta3
ORrubyonrailsrailsMatch5.0.0beta4
ORrubyonrailsrailsMatch5.0.0rc1
ORrubyonrailsrailsMatch5.0.0rc2
ORrubyonrailsruby_on_railsMatch3.0.4
ORrubyonrailsruby_on_railsMatch3.2.14
ORrubyonrailsruby_on_railsMatch3.2.14rc1
ORrubyonrailsruby_on_railsMatch3.2.14rc2
ORrubyonrailsruby_on_railsMatch3.2.15rc1
ORrubyonrailsruby_on_railsMatch3.2.15rc2
ORrubyonrailsruby_on_railsMatch3.2.19
ORrubyonrailsruby_on_railsMatch3.2.20
ORrubyonrailsruby_on_railsMatch3.2.22
ORrubyonrailsruby_on_railsMatch3.2.22.1
ORrubyonrailsruby_on_railsMatch4.0.10rc2
ORrubyonrailsruby_on_railsMatch4.0.11
ORrubyonrailsruby_on_railsMatch4.0.11.1
ORrubyonrailsruby_on_railsMatch4.0.12
ORrubyonrailsruby_on_railsMatch4.0.13
ORrubyonrailsruby_on_railsMatch4.0.13rc1
ORrubyonrailsruby_on_railsMatch4.1.11
ORrubyonrailsruby_on_railsMatch4.1.14.1
ORrubyonrailsruby_on_railsMatch5.0.0
ORrubyonrailsruby_on_railsMatch5.0.0racecar1
Node
debiandebian_linuxMatch8.0
References
rhn.redhat.com/errata/RHSA-2016-1855.html
rhn.redhat.com/errata/RHSA-2016-1856.html
rhn.redhat.com/errata/RHSA-2016-1857.html
rhn.redhat.com/errata/RHSA-2016-1858.html
weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/
www.debian.org/security/2016/dsa-3651
www.openwall.com/lists/oss-security/2016/08/11/3
www.securityfocus.com/bid/92430
groups.google.com/forum/#%21topic/ruby-security-ann/8B2iV2tPRSE
puppet.com/security/cve/cve-2016-6316
Social References
More
Related
redhat
redhat
(RHSA-2016:1858) Moderate: ruby193-rubygem-actionpack security update
2016-09-13 09:51:35
(RHSA-2016:1857) Moderate: ror40-rubygem-actionpack security update
2016-09-13 09:51:16
(RHSA-2016:1856) Moderate: rh-ror41-rubygem-actionview security update
2016-09-13 09:50:58
openvas
openvas
Debian: Security Advisory (DSA-3651-1)
2016-08-24 00:00:00
Ruby on Rails Action View Cross Site Scripting Vulnerability - Windows
2016-10-13 00:00:00
Fedora Update for rubygem-actionview FEDORA-2016-0d9890f7b5
2016-08-27 00:00:00
fedora
fedora
[SECURITY] Fedora 23 Update: rubygem-actionview-4.2.3-6.fc23
2016-08-26 12:50:04
[SECURITY] Fedora 24 Update: rubygem-actionview-4.2.5.2-3.fc24
2016-08-26 10:24:48
[SECURITY] Fedora 25 Update: rubygem-actioncable-5.0.0.1-1.fc25
2016-08-27 11:11:22
debiancve
debiancve
CVE-2016-6316
2016-09-07 19:28:10
debian
debian
[SECURITY] [DSA 3651-1] rails security update
2016-08-25 16:20:10
[SECURITY] [DSA 3651-1] rails security update
2016-08-25 16:20:10
[SECURITY] [DLA 604-1] ruby-actionpack-3.2 security update
2016-08-28 18:14:37
github
github
actionview Cross-site Scripting vulnerability
2017-10-24 18:33:35
freebsd
freebsd
Rails 4 -- Possible XSS Vulnerability in Action View
2016-08-11 00:00:00
nessus
nessus
FreeBSD : Rails 4 -- Possible XSS Vulnerability in Action View (43f1c867-654a-11e6-8286-00248c0c745d)
2016-10-17 00:00:00
Debian DSA-3651-1 : rails - security update
2016-08-26 00:00:00
Fedora 24 : rubygem-actionview (2016-0d9890f7b5)
2016-08-29 00:00:00
redhatcve
redhatcve
CVE-2016-6316
2016-08-12 06:18:33
prion
prion
Cross site scripting
2016-09-07 19:28:00
veracode
veracode
Cross-Site Scripting (XSS)
2019-01-15 09:13:09
gitlab
gitlab
Possible XSS Vulnerability
2016-09-07 00:00:00
threatpost
threatpost
GPG Patches 18-Year-Old Libgcrypt RNG Bug
2016-08-18 12:39:21
cvelist
cvelist
CVE-2016-6316
2016-09-07 19:00:00
osv
osv
actionview Cross-site Scripting vulnerability
2017-10-24 18:33:35
rails - security update
2016-08-25 00:00:00
ruby-actionpack-3.2 - security update
2016-08-28 00:00:00
nvd
nvd
CVE-2016-6316
2016-09-07 19:28:10
ubuntucve
ubuntucve
CVE-2016-6316
2016-09-07 00:00:00
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 Medium
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
59.8%
Related for CVE-2016-6316