CVE-2016-6316Cross-site Scripting in Rails Actionview

CWE-79Cross-site Scripting10 documents7 sources
Severity
6.1MEDIUMNVD
EPSS
1.6%
top 18.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Rubyonrails RailsRails ActionviewDebian Linux+1 more
Timeline
PublishedSep 7
Latest updateOct 24

Description

Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handlers.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

RubyGemsrails/actionview3.0.03.2.22.3+2
Debianrubyonrails/rails< 2:4.2.7.1-1+3
NVDrubyonrails/rails92 versions+91
NVDrubyonrails/ruby_on_rails15 versions+14

Also affects: Debian Linux 8.0

🔴Vulnerability Details

4
GHSA
actionview Cross-site Scripting vulnerability2017-10-24
OSV
actionview Cross-site Scripting vulnerability2017-10-24
CVEList
CVE-2016-6316: Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 32016-09-07
OSV
CVE-2016-6316: Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 32016-09-07

📋Vendor Advisories

2
Red Hat
rubygem-actionview: cross-site scripting flaw in Action View2016-08-11
Debian
CVE-2016-6316: rails - Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x bef...2016

💬Community

2
Bugzilla
CVE-2016-6316 rubygem-actionview: cross-site scripting flaw in Action View [fedora-all]2016-08-12
Bugzilla
CVE-2016-6316 rubygem-actionview: cross-site scripting flaw in Action View2016-08-08
CVE-2016-6316 — Cross-site Scripting in Rails | cvebase