CVE-2015-7579Cross-site Scripting in Rails Rails-html-sanitizer

CWE-79Cross-site Scripting7 documents6 sources
Severity
6.1MEDIUMNVD
EPSS
0.2%
top 62.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Rails Rails-html-sanitizerDebian Ruby-rails-html-sanitizerRubyonrails Html Sanitizer
Timeline
PublishedFeb 16
Latest updateOct 24

Description

Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

debiandebian/ruby-rails-html-sanitizer< ruby-rails-html-sanitizer 1.0.3-1 (bookworm)
RubyGemsrails/rails-html-sanitizer< 1.0.3

🔴Vulnerability Details

3
GHSA
rails-html-sanitizer Cross-site Scripting vulnerability2017-10-24
OSV
rails-html-sanitizer Cross-site Scripting vulnerability2017-10-24
OSV
CVE-2015-7579: Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 12016-02-16

📋Vendor Advisories

1
Debian
CVE-2015-7579: ruby-rails-html-sanitizer - Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 f...2015

💬Community

2
HackerOne
[Rails42] We can inject HTML tags when server is using strip_tags method2016-03-13
Bugzilla
CVE-2015-7579 rubygem-rails-html-sanitizer: XSS vulnerability in Action View's strip_tags function2016-01-26