Cross-Site Scripting Vulnerability in Ruby on Rails Sanitizer by Rails
CVE-2015-7578

6.1MEDIUM

Key Information:

Vendor

Rubyonrails

Status
Html Sanitizer
Vendor
CVE Published:
16 February 2016

What is CVE-2015-7578?

A cross-site scripting vulnerability exists in the rails-html-sanitizer gem prior to version 1.0.3, affecting Ruby on Rails versions 4.2.x and 5.x. This flaw permits remote attackers to execute arbitrary web scripts or HTML by exploiting crafted tag attributes, which can compromise the security of web applications using these versions. Proper sanitization measures should be adopted to mitigate potential risks.

References

http://lists.fedoraproject.org/pipermail/package-announce...
vendor-advisoryx_refsource_FEDORA
http://www.openwall.com/lists/oss-security/2016/01/25/11
mailing-listx_refsource_MLIST
http://lists.opensuse.org/opensuse-security-announce/2016...
vendor-advisoryx_refsource_SUSE

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.