Cross-site scripting vulnerability in rails-html-sanitizer for Ruby on Rails
CVE-2015-7579

6.1MEDIUM

Key Information:

Vendor

Rubyonrails

Status
Html Sanitizer
Vendor
CVE Published:
16 February 2016

What is CVE-2015-7579?

The rails-html-sanitizer gem version 1.0.2, utilized in Ruby on Rails versions 4.2.x and 5.x, is susceptible to a cross-site scripting (XSS) vulnerability. This flaw enables remote attackers to exploit the Rails::Html::FullSanitizer class by injecting arbitrary web scripts or HTML through improperly handled HTML entities, potentially compromising users' web security.

References

https://github.com/rails/rails-html-sanitizer/commit/49df...
x_refsource_CONFIRM
https://groups.google.com/forum/message/raw?msg=ruby-secu...
mailing-listx_refsource_MLIST
http://lists.fedoraproject.org/pipermail/package-announce...
vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.