Lucene search

Https://gitlab.com/gitlab-org/security-products/gemnasium-dbGITLAB-4592157653D70634A228B2043D8242B2

HistorySep 07, 2016 - 12:00 a.m.

Possible XSS Vulnerability

2016-09-0700:00:00

https://gitlab.com/gitlab-org/security-products/gemnasium-db

gitlab.com

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.003 Low

EPSS

Percentile

69.9%

JSON

There is a possible XSS vulnerability in Action View. Text declared as “HTML safe” will not have quotes escaped when used as attribute values in tag helpers.

Affected configurations

Vulners

Node

gemactionviewRange4.0.0.alpha≥

gemactionviewRange<4.2.7.1

gemactionviewRange5.0.0.alpha≥

gemactionviewRange<5.0.0.1

CPENameOperatorVersion
gem/actionviewge4.0.0.alpha
gem/actionviewlt4.2.7.1
gem/actionviewge5.0.0.alpha
gem/actionviewlt5.0.0.1

Name	Operator	Version
gem/actionview	ge	4.0.0.alpha
gem/actionview	lt	4.2.7.1
gem/actionview	ge	5.0.0.alpha
gem/actionview	lt	5.0.0.1

References

groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.003 Low

EPSS

Percentile

69.9%

JSON

Related for GITLAB-4592157653D70634A228B2043D8242B2