Sha256: 2540e8875ac51b1ec57eb9461f4a38a7a129fab0e13918430aee02a990de6f82

Contents?: true

Size: 968 Bytes

Versions: 6

Compression:

Stored size: 968 Bytes

Contents

---
gem: ember-source
cve: 2015-1866
url: https://groups.google.com/forum/#!topic/ember-security/nbntfs2EbRU
title: Ember.js XSS Vulnerability With {{view "select"}} Options
date: 2015-04-14
description: |
  In general, Ember.js escapes or strips any user-supplied content before
  inserting it in strings that will be sent to innerHTML.  However, a
  change made to the implementation of the select view means that any
  user-supplied data bound to an option's label will not be escaped
  correctly.

  In applications that use Ember's select view and pass user-supplied
  content to the label, a specially-crafted payload could execute
  arbitrary JavaScript in the context of the current domain ("XSS").

  All users running an affected release and binding user-supplied data to
  the select options should either upgrade or use one of the workarounds
  immediately.
patched_versions:
  - ~> 1.10.1
  - ~> 1.11.2
  - ">= 1.12.0"
unaffected_versions:
  - "< 1.10.0"

Version data entries

6 entries across 6 versions & 2 rubygems

Version Path
bundler-audit-0.7.0.1 data/ruby-advisory-db/gems/ember-source/CVE-2015-1866.yml
bundler-budit-0.6.2 data/ruby-advisory-db/gems/ember-source/CVE-2015-1866.yml
bundler-budit-0.6.1 data/ruby-advisory-db/gems/ember-source/CVE-2015-1866.yml
bundler-audit-0.6.1 data/ruby-advisory-db/gems/ember-source/CVE-2015-1866.yml
bundler-audit-0.6.0 data/ruby-advisory-db/gems/ember-source/CVE-2015-1866.yml
bundler-audit-0.5.0 data/ruby-advisory-db/gems/ember-source/CVE-2015-1866.yml