CVE-2015-7578 — Cross-site Scripting in Rails Rails-html-sanitizer

CWE-79 — Cross-site Scripting8 documents6 sources

Severity

6.1MEDIUMNVD

EPSS

0.2%

top 62.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rails Rails-html-sanitizer Debian Ruby-rails-html-sanitizer Rubyonrails Html Sanitizer

Timeline

PublishedFeb 16

Latest updateOct 24

Description

Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶debiandebian/ruby-rails-html-sanitizer< ruby-rails-html-sanitizer 1.0.3-1 (bookworm)

▶NVDrubyonrails/html_sanitizer1.0.2

▶RubyGemsrails/rails-html-sanitizer< 1.0.3

🔴Vulnerability Details

OSV

rails-html-sanitizer Cross-site Scripting vulnerability↗2017-10-24

▶

GHSA

rails-html-sanitizer Cross-site Scripting vulnerability↗2017-10-24

▶

OSV

CVE-2015-7578: Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1↗2016-02-16

▶

📋Vendor Advisories

Debian

CVE-2015-7578: ruby-rails-html-sanitizer - Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before ...↗2015

▶

💬Community

HackerOne

Data-Tags and the New HTML Sanitizer Subverts CSRF protection↗2016-03-13

▶

Bugzilla

CVE-2015-7578 rubygem-rails-html-sanitizer: ruby: XSS vulnerability in rails-html-sanitizer [fedora-all]↗2016-01-26

▶

Bugzilla

CVE-2015-7578 rails-html-sanitizer: XSS vulnerability due to unremoved attributes from tags↗2016-01-26

▶