Lucene search

GitHub Advisory DatabaseGHSA-Q759-HWVC-M3JG

HistoryOct 24, 2017 - 6:33 p.m.

actionpack Cross-site Scripting vulnerability

2017-10-2418:33:37

CWE-79

GitHub Advisory Database

github.com

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.004 Low

EPSS

Percentile

73.9%

JSON

The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences.

Affected configurations

Vulners

Node

actionpack_projectactionpackRange<3.2.13ruby

actionpack_projectactionpackRange<3.1.12ruby

actionpack_projectactionpackRange<2.3.18ruby

CPENameOperatorVersion
actionpacklt3.2.13
actionpacklt3.1.12
actionpacklt2.3.18

Name	Operator	Version
actionpack	lt	3.2.13
actionpack	lt	3.1.12
actionpack	lt	2.3.18

References

lists.opensuse.org/opensuse-updates/2013-04/msg00072.html

lists.opensuse.org/opensuse-updates/2013-04/msg00073.html

lists.opensuse.org/opensuse-updates/2014-01/msg00013.html

rhn.redhat.com/errata/RHSA-2013-0698.html

rhn.redhat.com/errata/RHSA-2014-1863.html

support.apple.com/kb/HT5784

weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/

access.redhat.com/errata/RHSA-2013:0698

access.redhat.com/errata/RHSA-2014:1863

access.redhat.com/security/cve/CVE-2013-1855

bugzilla.redhat.com/show_bug.cgi?id=921331

github.com/advisories/GHSA-q759-hwvc-m3jg

github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2013-1855.yml

groups.google.com/group/rubyonrails-security/msg/8ed835a97cdd1afd?dmode=source&output=gplain

nvd.nist.gov/vuln/detail/CVE-2013-1855

web.archive.org/web/20130609174600/lists.apple.com/archives/security-announce/2013/Jun/msg00000.html

web.archive.org/web/20131109010518/lists.apple.com/archives/security-announce/2013/Oct/msg00006.html

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.004 Low

EPSS

Percentile

73.9%

JSON

Related for GHSA-Q759-HWVC-M3JG