CVE-2015-7580 — Cross-site Scripting in Rails Rails-html-sanitizer

CWE-79 — Cross-site Scripting7 documents6 sources

Severity

6.1MEDIUMNVD

EPSS

0.2%

top 62.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rails Rails-html-sanitizer Debian Ruby-rails-html-sanitizer Rubyonrails Html Sanitizer

Timeline

PublishedFeb 16

Latest updateOct 24

Description

Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶debiandebian/ruby-rails-html-sanitizer< ruby-rails-html-sanitizer 1.0.3-1 (bookworm)

▶NVDrubyonrails/html_sanitizer1.0.2

▶RubyGemsrails/rails-html-sanitizer< 1.0.3

🔴Vulnerability Details

OSV

rails-html-sanitizer Cross-site Scripting vulnerability↗2017-10-24

▶

GHSA

rails-html-sanitizer Cross-site Scripting vulnerability↗2017-10-24

▶

OSV

CVE-2015-7580: Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers↗2016-02-16

▶

📋Vendor Advisories

Debian

CVE-2015-7580: ruby-rails-html-sanitizer - Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the r...↗2015

▶

💬Community

HackerOne

Potential XSS on sanitize/Rails::Html::WhiteListSanitizer↗2016-03-13

▶

Bugzilla

CVE-2015-7580 rubygem-rails-html-sanitizer: Possible XSS vulnerability in the white list sanitizer↗2016-01-26

▶