MEDIUM
GHSA-6h5q-96hp-9jgm
actionpack vulnerable to Cross-site Scripting
Details
Cross-site scripting (XSS) vulnerability in the `number_to_currency` helper in `actionpack/lib/action_view/helpers/number_helper.rb` in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://nvd.nist.gov/vuln/detail/CVE-2013-6415 [ADVISORY]
- https://github.com/advisories/GHSA-6h5q-96hp-9jgm [ADVISORY]
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2013-6415.yml [WEB]
- https://groups.google.com/forum/#!topic/ruby-security-ann/9WiRn2nhfq0 [WEB]
- https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ [WEB]
- https://puppet.com/security/cve/cve-2013-6415 [WEB]
- https://web.archive.org/web/20131206180005/http://www.securityfocus.com/bid/64077 [WEB]
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html [WEB]
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00080.html [WEB]
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html [WEB]
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html [WEB]
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html [WEB]
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html [WEB]
- http://rhn.redhat.com/errata/RHSA-2013-1794.html [WEB]
- http://rhn.redhat.com/errata/RHSA-2014-0008.html [WEB]
- http://rhn.redhat.com/errata/RHSA-2014-1863.html [WEB]
- http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released [WEB]
- http://www.debian.org/security/2014/dsa-2888 [WEB]