Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
rubygemsRubySecRUBY:RAILS-HTML-SANITIZER-2015-7578
HistoryJan 24, 2016 - 9:00 p.m.

Possible XSS vulnerability in rails-html-sanitizer

2016-01-2421:00:00
RubySec
rubysec.com
10

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.003 Low

EPSS

Percentile

69.4%

JSON

There is a possible XSS vulnerability in rails-html-sanitizer. This
vulnerability has been assigned the CVE identifier CVE-2015-7578.

Versions Affected: All.
Not affected: None.
Fixed Versions: 1.0.3

Impact

There is a possible XSS vulnerability in rails-html-sanitizer. Certain
attributes are not removed from tags when they are sanitized, and these
attributes can lead to an XSS attack on target applications.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

Patches

To aid users who aren’t able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

  • 1-0-sanitize_data_attributes.patch - Patch for 1.0 series

Credits

Thanks to Ben Murphy and Marien for reporting this.

CPENameOperatorVersion
rails-html-sanitizerlt1.0.3

Related

cve 1
prion 1
github 1
cvelist 1
osv 1
debiancve 1
ubuntucve 1
hackerone 1
nvd 1
openvas 4
nessus 3
fedora 2
suse 3
cve
cve
CVE-2015-7578
2016-02-16 02:59:02
prion
prion
Cross site scripting
2016-02-16 02:59:00
github
github
rails-html-sanitizer Cross-site Scripting vulnerability
2017-10-24 18:33:36
cvelist
cvelist
CVE-2015-7578
2016-02-16 02:00:00
osv
osv
rails-html-sanitizer Cross-site Scripting vulnerability
2017-10-24 18:33:36
debiancve
debiancve
CVE-2015-7578
2016-02-16 02:59:02
ubuntucve
ubuntucve
CVE-2015-7578
2016-02-16 00:00:00
hackerone
hackerone
Ruby on Rails: Data-Tags and the New HTML Sanitizer Subverts CSRF protection
2015-01-07 00:38:28
nvd
nvd
CVE-2015-7578
2016-02-16 02:59:02
openvas
openvas
Fedora Update for rubygem-rails-html-sanitizer FEDORA-2016-3
2016-02-29 00:00:00
openSUSE: Security Advisory for rubygem-rails-html-sanitizer (openSUSE-SU-2016:0356-1)
2016-02-08 00:00:00
Fedora Update for rubygem-rails-html-sanitizer FEDORA-2016-59
2016-02-29 00:00:00
nessus
nessus
Fedora 23 : rubygem-rails-html-sanitizer-1.0.3-1.fc23 (2016-59ce8b61dd)
2016-03-04 00:00:00
Fedora 22 : rubygem-rails-html-sanitizer-1.0.1-2.fc22 (2016-3a2606f993)
2016-03-04 00:00:00
openSUSE Security Update : rubygem-rails-html-sanitizer (openSUSE-2016-148)
2016-02-08 00:00:00
fedora
fedora
[SECURITY] Fedora 22 Update: rubygem-rails-html-sanitizer-1.0.1-2.fc22
2016-02-28 08:31:19
[SECURITY] Fedora 23 Update: rubygem-rails-html-sanitizer-1.0.3-1.fc23
2016-02-28 12:28:41
suse
suse
Security update for rubygem-rails-html-sanitizer (important)
2016-02-09 14:12:34
Security update for rubygem-rails-html-sanitizer (important)
2016-02-07 17:11:11
Security update for portus (important)
2016-04-25 20:07:56

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.003 Low

EPSS

Percentile

69.4%

JSON
Related for RUBY:RAILS-HTML-SANITIZER-2015-7578
cve1prion1github1cvelist1osv1debiancve1ubuntucve1hackerone1nvd1openvas4nessus3fedora2suse3