CVE-2020-5267 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Rails Actionview
Severity
4.8MEDIUMNVD
CNA4.0
EPSS
0.9%
top 24.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 19
Latest updateMay 5
Description
In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible XSS vulnerability in ActionView's JavaScript literal escape helpers. Views that use the `j` or `escape_javascript` methods may be susceptible to XSS attacks. The issue is fixed in versions 6.0.2.2 and 5.2.4.2.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7
Affected Packages5 packages
Also affects: Debian Linux 8.0, Fedora 33
Patches
🔴Vulnerability Details
4📋Vendor Advisories
2💬Community
3Bugzilla▶
CVE-2020-5267 rubygem-actionview: views that use the `j` or `escape_javascript` methods are susceptible to XSS attacks [fedora-all]↗2020-05-05
Bugzilla▶
CVE-2020-5267 rubygem-actionview: views that use the `j` or `escape_javascript` methods are susceptible to XSS attacks [fedora-all]↗2020-05-05
Bugzilla▶
CVE-2020-5267 rubygem-actionview: views that use the `j` or `escape_javascript` methods are susceptible to XSS attacks↗2020-05-05