Lucene search

K

[email protected]NVD:CVE-2015-7579

HistoryFeb 16, 2016 - 2:59 a.m.

CVE-2015-7579

2016-02-1602:59:03

CWE-79

[email protected]

web.nvd.nist.gov

3

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.003 Low

EPSS

Percentile

69.4%

Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class.

Affected configurations

NVD

Node

rubyonrailshtml_sanitizerRange≤1.0.2ruby

AND

rubyonrailsrailsMatch4.2.0

OR

rubyonrailsrailsMatch4.2.0beta1

OR

rubyonrailsrailsMatch4.2.0beta2

OR

rubyonrailsrailsMatch4.2.0beta3

OR

rubyonrailsrailsMatch4.2.0beta4

OR

rubyonrailsrailsMatch4.2.0rc1

OR

rubyonrailsrailsMatch4.2.0rc2

OR

rubyonrailsrailsMatch4.2.0rc3

OR

rubyonrailsrailsMatch4.2.1

OR

rubyonrailsrailsMatch4.2.1rc1

OR

rubyonrailsrailsMatch4.2.1rc2

OR

rubyonrailsrailsMatch4.2.1rc3

OR

rubyonrailsrailsMatch4.2.1rc4

OR

rubyonrailsrailsMatch4.2.2

OR

rubyonrailsrailsMatch4.2.3

OR

rubyonrailsrailsMatch4.2.3rc1

OR

rubyonrailsrailsMatch4.2.4

OR

rubyonrailsrailsMatch4.2.4rc1

OR

rubyonrailsrailsMatch4.2.5

OR

rubyonrailsrailsMatch4.2.5rc1

OR

rubyonrailsrailsMatch4.2.5rc2

OR

rubyonrailsrailsMatch4.2.5.1

OR

rubyonrailsrailsMatch4.2.5.2

OR

rubyonrailsrailsMatch4.2.6rc1

OR

rubyonrailsrailsMatch5.0.0beta1

OR

rubyonrailsrailsMatch5.0.0beta1.1

OR

rubyonrailsrailsMatch5.0.0beta2

OR

rubyonrailsrailsMatch5.0.0beta3

References

lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html

lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html

lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html

lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html

lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html

www.openwall.com/lists/oss-security/2016/01/25/12

www.securitytracker.com/id/1034816

github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f

groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.003 Low

EPSS

Percentile

69.4%

Related for NVD:CVE-2015-7579

debiancve1 prion1 hackerone1 cve1 cvelist1 github1 seebug1 ubuntucve1 osv1 rubygems1 nessus3 fedora2 suse3 openvas4