Lucene search

Https://gitlab.com/gitlab-org/security-products/gemnasium-dbGITLAB-5FD0ABE36E2EEE52D6830B6D79C4317D

HistoryNov 28, 2011 - 12:00 a.m.

Translate helper method which may allow an attacker to insert arbitrary code into a page

2011-11-2800:00:00

https://gitlab.com/gitlab-org/security-products/gemnasium-db

gitlab.com

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

69.5%

JSON

The helper method for i18n translations has a convention whereby translations strings with a name ending in ‘html’ are considered HTML safe. There is also a mechanism for interpolation. It has been discovered that these ‘html’ strings allow arbitrary values to be contained in the interpolated input, and these values are not escaped.

Affected configurations

Vulners

Node

gemactionpackRange3.0.0.alpha0≥

gemactionpackRange<3.0.11

gemactionpackRange3.1.0.alpha0≥

gemactionpackRange<3.1.2

CPENameOperatorVersion
gem/actionpackge3.0.0.alpha0
gem/actionpacklt3.0.11
gem/actionpackge3.1.0.alpha0
gem/actionpacklt3.1.2

Name	Operator	Version
gem/actionpack	ge	3.0.0.alpha0
gem/actionpack	lt	3.0.11
gem/actionpack	ge	3.1.0.alpha0
gem/actionpack	lt	3.1.2

References

github.com/rails/rails/commit/ba2d85012088fd0db0fab98b2e512c77c83cbade#diff-79e8a3e6d1d2808c4f93f63b3928a5a1

github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/OSVDB-77199.yml

groups.google.com/forum/#!topic/rubyonrails-security/K2HXD7c8fMU

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

69.5%

JSON

Related for GITLAB-5FD0ABE36E2EEE52D6830B6D79C4317D