CVE-2020-15169 — Cross-site Scripting in View Project Action View

CWE-79 — Cross-site Scripting9 documents7 sources

Severity

6.1MEDIUMNVD

CNA5.4

EPSS

1.5%

top 18.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rails Actionview Rubyonrails Rails Action View Project Action View +2 more

Timeline

PublishedSep 11

Description

In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in version…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶CVEListV5rails/actionview< 5.2.4.4+1

▶RubyGemsrails/actionview6.0.0.0 — 6.0.3.3+1

▶NVDaction_view_project/action_view6.0.0.0 — 6.0.3.3+1

▶Debianrubyonrails/rails< 2:6.0.3.3+dfsg-1+3

Also affects: Debian Linux 10.0, Fedora 33

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2020-15169: In Action View before versions 5↗2020-09-11

▶

OSV

XSS in Action View↗2020-09-11

▶

CVEList

XSS in Action View↗2020-09-11

▶

GHSA

XSS in Action View↗2020-09-11

▶

📋Vendor Advisories

Red Hat

rubygem-activeview: Cross-site scripting in translation helpers↗2020-09-09

▶

Debian

CVE-2020-15169: rails - In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Si...↗2020

▶

💬Community

Bugzilla

CVE-2020-15169 rubygem-activeview: Cross-site scripting in translation helpers↗2020-09-09

▶

Bugzilla

CVE-2020-15169 rubygem-actionview: rubygem-activeview: Cross-site scripting in translation helpers [fedora-all]↗2020-09-09

▶