4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
60.4%
The HTML escaping code in Ruby on Rails does not escape all potentially dangerous characters. In particular the code does not escape the single quote character. The helpers used in Rails itself never use single quotes, so most applications are unlikely to be vulnerable, however all users running an affected release should still upgrade.
CPE | Name | Operator | Version |
---|---|---|---|
gem/activesupport | lt | 3.0.17 | |
gem/activesupport | ge | 3.1.0 | |
gem/activesupport | lt | 3.1.8 | |
gem/activesupport | ge | 3.2.0 | |
gem/activesupport | lt | 3.2.8 |