CVE-2014-0081Cross-site Scripting in Rails

CWE-79Cross-site Scripting9 documents7 sources
Severity
4.3MEDIUMNVD
EPSS
0.9%
top 24.52%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Rubyonrails RailsActionpack Project ActionpackRubyonrails Ruby ON Rails+4 more
Timeline
PublishedFeb 20
Latest updateOct 24

Description

Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages8 packages

RubyGemsrubyonrails/rails3.0.03.2.17+1
Debianrubyonrails/rails< 2.3.14.1+3
NVDrubyonrails/rails106 versions+105
RubyGemsactionpack_project/actionpack3.0.03.2.17+1

Also affects: Enterprise Linux 6.0

🔴Vulnerability Details

4
GHSA
Rails vulnerable to Cross-site Scripting2017-10-24
OSV
Rails vulnerable to Cross-site Scripting2017-10-24
CVEList
CVE-2014-0081: Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper2014-02-20
OSV
CVE-2014-0081: Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper2014-02-20

📋Vendor Advisories

2
Red Hat
rubygem-actionpack: number_to_currency, number_to_percentage and number_to_human XSS vulnerability2014-02-18
Debian
CVE-2014-0081: rails - Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_vie...2014

💬Community

2
Bugzilla
CVE-2014-0081 rubygem-actionpack: number_to_currency, number_to_percentage and number_to_human XSS vulnerability [fedora-all]2014-02-18
Bugzilla
CVE-2014-0081 rubygem-actionpack: number_to_currency, number_to_percentage and number_to_human XSS vulnerability2014-02-14
CVE-2014-0081 — Cross-site Scripting in Rails | cvebase