0.003 Low
EPSS
Percentile
69.9%
It was discovered that Action View tag helpers did not escape quotes when using strings declared as HTML safe as attribute values. A remote attacker could use this flaw to conduct a cross-site scripting (XSS) attack.
bugzilla.redhat.com/show_bug.cgi?id=1365008
groups.google.com/forum/#!msg/rubyonrails-security/I-VWr034ouk/gGu2FrCwDAAJ