MEDIUM 6.1

GHSA-pc3m-v286-2jwj

actionview Cross-site Scripting vulnerability

Details

Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handlers.

Are you affected?

Enter the version of the package you're using.

Affected packages

RubyGems / actionview

Introduced in: 3.0.0 Fixed in: 3.2.22.3

Fix bundle update actionview

RubyGems / actionview

Introduced in: 4.0.0 Fixed in: 4.2.7.1

Fix bundle update actionview

RubyGems / actionview

Introduced in: 5.0.0 Fixed in: 5.0.0.1

Fix bundle update actionview

References

https://nvd.nist.gov/vuln/detail/CVE-2016-6316 [ADVISORY]
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-6316.yml [WEB]
https://groups.google.com/forum/#!topic/ruby-security-ann/8B2iV2tPRSE [WEB]
https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk [WEB]
https://web.archive.org/web/20200227202008/http://www.securityfocus.com/bid/92430 [WEB]
https://web.archive.org/web/20200812154343/https://puppet.com/security/cve/cve-2016-6316 [WEB]
http://rhn.redhat.com/errata/RHSA-2016-1855.html [WEB]
http://rhn.redhat.com/errata/RHSA-2016-1856.html [WEB]
http://rhn.redhat.com/errata/RHSA-2016-1857.html [WEB]
http://rhn.redhat.com/errata/RHSA-2016-1858.html [WEB]
http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released [WEB]
http://www.debian.org/security/2016/dsa-3651 [WEB]
http://www.openwall.com/lists/oss-security/2016/08/11/3 [WEB]