Sha256: 2567139ed930fad0977a6d4614da500e71563c14884dce466b38d7a3ad643e65

Contents?: true

Size: 797 Bytes

Versions: 6

Compression:

Stored size: 797 Bytes

Contents

---
gem: actionpack
framework: rails
cve: 2013-6416
osvdb: 100526
url: https://groups.google.com/forum/#!topic/ruby-security-ann/5ZI1-H5OoIM
title: XSS Vulnerability in simple_format helper
date: 2013-12-03

description: |
  There is a vulnerability in the simple_format helper in Ruby on Rails.
  The simple_format helper converts user supplied text into html text
  which is intended to be safe for display. A change made to the
  implementation of this helper means that any user provided HTML
  attributes will not be escaped correctly. As a result of this error,
  applications which pass user-controlled data to be included as html
  attributes will be vulnerable to an XSS attack.

cvss_v2: 4.3

unaffected_versions:
  - ~> 2.3.0
  - ~> 3.1.0
  - ~> 3.2.0

patched_versions:
  - ">= 4.0.2"

Version data entries

6 entries across 6 versions & 2 rubygems

Version Path
bundler-audit-0.7.0.1 data/ruby-advisory-db/gems/actionpack/OSVDB-100526.yml
bundler-budit-0.6.2 data/ruby-advisory-db/gems/actionpack/OSVDB-100526.yml
bundler-budit-0.6.1 data/ruby-advisory-db/gems/actionpack/OSVDB-100526.yml
bundler-audit-0.6.1 data/ruby-advisory-db/gems/actionpack/OSVDB-100526.yml
bundler-audit-0.6.0 data/ruby-advisory-db/gems/actionpack/OSVDB-100526.yml
bundler-audit-0.5.0 data/ruby-advisory-db/gems/actionpack/OSVDB-100526.yml