---
gem: actionpack
framework: rails
cve: 2013-6415
osvdb: 100524
url: https://groups.google.com/forum/#!topic/ruby-security-ann/9WiRn2nhfq0
title: XSS Vulnerability in number_to_currency
date: 2013-12-03

description: |
  There is an XSS vulnerability in the number_to_currency helper in Ruby on Raile.
  The number_to_currency helper allows users to nicely format a numeric value. One
  of the parameters to the helper (unit) is not escaped correctly.  Applications
  which pass user controlled data as the unit parameter are vulnerable to an XSS attack.

cvss_v2: 

patched_versions:
  - ~> 3.2.16
  - ">= 4.0.2"