Cross-Site Scripting Vulnerability in Ruby on Rails Sanitizer
CVE-2015-7580

6.1MEDIUM

Key Information:

Vendor

Rubyonrails

Status
Html Sanitizer
Vendor
CVE Published:
16 February 2016

What is CVE-2015-7580?

A cross-site scripting vulnerability exists in the rails-html-sanitizer gem prior to version 1.0.3, utilized by Ruby on Rails versions 4.2.x and 5.x. This flaw permits remote attackers to inject arbitrary web scripts or HTML by exploiting a crafted CDATA node, potentially compromising the integrity of web applications that rely on this sanitization for user-generated content. It underscores the importance of regularly updating dependencies to safeguard applications against such threats.

References

https://groups.google.com/forum/message/raw?msg=rubyonrai...
mailing-listx_refsource_MLIST
http://lists.opensuse.org/opensuse-security-announce/2016...
vendor-advisoryx_refsource_SUSE
http://www.openwall.com/lists/oss-security/2016/01/25/15
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.