Lucene search
RedHatRHSA-2016:1855HistorySep 13, 2016 - 9:49 a.m.
(RHSA-2016:1855) Moderate: rh-ror42 security update
2016-09-1309:49:49
access.redhat.com
21
0.003 Low
EPSS
Percentile
69.9%
Ruby on Rails is a model-view-controller (MVC) framework for web application development. Action View implements the view component, and Active Record implements the model component.
Security Fix(es) in rubygem-actionview:
- It was discovered that Action View tag helpers did not escape quotes when using strings declared as HTML safe as attribute values. A remote attacker could use this flaw to conduct a cross-site scripting (XSS) attack. (CVE-2016-6316)
Security Fix(es) in rubygem-activerecord:
- A flaw was found in the way Active Record handled certain special values in dynamic finders and relations. If a Ruby on Rails application performed JSON parameter parsing, a remote attacker could possibly manipulate search conditions in SQL queries generated by the application. (CVE-2016-6317)
Red Hat would like to thank the Ruby on Rails project for reporting these issues. Upstream acknowledges Andrew Carpenter (Critical Juncture) as the original reporter of CVE-2016-6316; and joernchen (Phenoelit) as the original reporter of CVE-2016-6317.
Related
openvas
openvas
Fedora Update for rubygem-railties FEDORA-2016-5760339e76
2016-12-07 00:00:00
Fedora Update for rubygem-activesupport FEDORA-2016-5760339e76
2016-12-07 00:00:00
Fedora Update for rubygem-actionmailer FEDORA-2016-5760339e76
2016-12-07 00:00:00
fedora
fedora
[SECURITY] Fedora 25 Update: rubygem-actioncable-5.0.0.1-1.fc25
2016-08-27 11:11:22
[SECURITY] Fedora 25 Update: rubygem-activejob-5.0.0.1-1.fc25
2016-08-27 11:11:22
[SECURITY] Fedora 25 Update: rubygem-actionmailer-5.0.0.1-1.fc25
2016-08-27 11:11:22
nessus
nessus
redhatcve
redhatcve
CVE-2016-6317
2016-08-12 06:18:38
CVE-2016-6316
2016-08-12 06:18:33
redhat
redhat
(RHSA-2016:1858) Moderate: ruby193-rubygem-actionpack security update
2016-09-13 09:51:35
(RHSA-2016:1856) Moderate: rh-ror41-rubygem-actionview security update
2016-09-13 09:50:58
(RHSA-2016:1857) Moderate: ror40-rubygem-actionpack security update
2016-09-13 09:51:16
debiancve
debiancve
CVE-2016-6316
2016-09-07 19:28:10
CVE-2016-6317
2016-09-07 19:28:11
gitlab
gitlab
Possible XSS Vulnerability
2016-09-07 00:00:00
Unsafe Query Generation Risk
2016-09-07 00:00:00
veracode
veracode
Cross-Site Scripting (XSS)
2019-01-15 09:13:09
prion
prion
Cross site scripting
2016-09-07 19:28:00
Design/Logic Flaw
2016-09-07 19:28:00
threatpost
threatpost
GPG Patches 18-Year-Old Libgcrypt RNG Bug
2016-08-18 12:39:21
osv
osv
actionview Cross-site Scripting vulnerability
2017-10-24 18:33:35
rails - security update
2016-08-25 00:00:00
ActiveRecord in Ruby on Rails allows database-query bypass
2017-10-24 18:33:35
cvelist
cvelist
CVE-2016-6316
2016-09-07 19:00:00
CVE-2016-6317
2016-09-07 19:00:00
cve
cve
CVE-2016-6316
2016-09-07 19:28:10
CVE-2016-6317
2016-09-07 19:28:11
freebsd
freebsd
Rails 4 -- Possible XSS Vulnerability in Action View
2016-08-11 00:00:00
Rails 4 -- Unsafe Query Generation Risk in Active Record
2016-08-11 00:00:00
debian
debian
[SECURITY] [DSA 3651-1] rails security update
2016-08-25 16:20:10
[SECURITY] [DSA 3651-1] rails security update
2016-08-25 16:20:10
[SECURITY] [DLA 604-1] ruby-actionpack-3.2 security update
2016-08-28 18:14:37
github
github
actionview Cross-site Scripting vulnerability
2017-10-24 18:33:35
ActiveRecord in Ruby on Rails allows database-query bypass
2017-10-24 18:33:35
nvd
nvd
CVE-2016-6316
2016-09-07 19:28:10
CVE-2016-6317
2016-09-07 19:28:11
ubuntucve
ubuntucve
CVE-2016-6316
2016-09-07 00:00:00
CVE-2016-6317
2016-09-07 00:00:00
hackerone
hackerone