CVE-2014-0081: XSS
First published: Thu Feb 20 2014(Updated: )
Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rubygems/actionpack | >=4.0.0<4.0.3 | 4.0.3 |
| rubygems/actionpack | >=3.0.0<3.2.17 | 3.2.17 |
| rubygems/rails | >=4.0.0<4.0.3 | 4.0.3 |
| rubygems/rails | >=3.0.0<3.2.17 | 3.2.17 |
| Rubyonrails Rails | =0.9.1 | |
| Rubyonrails Rails | =0.9.2 | |
| Rubyonrails Rails | =0.9.3 | |
| Rubyonrails Rails | =0.9.4 | |
| Rubyonrails Rails | =0.9.4.1 | |
| Rubyonrails Rails | =0.10.0 | |
| Rubyonrails Rails | =0.10.1 | |
| Rubyonrails Rails | =0.11.0 | |
| Rubyonrails Rails | =0.11.1 | |
| Rubyonrails Rails | =0.12.0 | |
| Rubyonrails Rails | =0.12.1 | |
| Rubyonrails Rails | =0.13.0 | |
| Rubyonrails Rails | =0.13.1 | |
| Rubyonrails Rails | =0.14.1 | |
| Rubyonrails Rails | =0.14.2 | |
| Rubyonrails Rails | =0.14.3 | |
| Rubyonrails Rails | =0.14.4 | |
| Rubyonrails Rails | =1.0.0 | |
| Rubyonrails Rails | =1.1.0 | |
| Rubyonrails Rails | =1.1.1 | |
| Rubyonrails Rails | =1.1.2 | |
| Rubyonrails Rails | =1.1.3 | |
| Rubyonrails Rails | =1.1.4 | |
| Rubyonrails Rails | =1.1.5 | |
| Rubyonrails Rails | =1.1.6 | |
| Rubyonrails Rails | =1.2.0 | |
| Rubyonrails Rails | =1.2.1 | |
| Rubyonrails Rails | =1.2.2 | |
| Rubyonrails Rails | =1.2.3 | |
| Rubyonrails Rails | =1.2.4 | |
| Rubyonrails Rails | =1.2.5 | |
| Rubyonrails Rails | =1.2.6 | |
| Rubyonrails Rails | =1.9.5 | |
| Rubyonrails Rails | =2.0.0 | |
| Rubyonrails Rails | =2.0.0-rc1 | |
| Rubyonrails Rails | =2.0.0-rc2 | |
| Rubyonrails Rails | =2.0.1 | |
| Rubyonrails Rails | =2.0.2 | |
| Rubyonrails Rails | =2.0.4 | |
| Rubyonrails Rails | =2.1.0 | |
| Rubyonrails Rails | =2.1.1 | |
| Rubyonrails Rails | =2.1.2 | |
| Rubyonrails Rails | =2.2.0 | |
| Rubyonrails Rails | =2.2.1 | |
| Rubyonrails Rails | =2.2.2 | |
| Rubyonrails Rails | =2.3.0 | |
| Rubyonrails Rails | =2.3.1 | |
| Rubyonrails Rails | =2.3.2 | |
| Rubyonrails Rails | =2.3.3 | |
| Rubyonrails Rails | =2.3.4 | |
| Rubyonrails Rails | =2.3.9 | |
| Rubyonrails Rails | =2.3.10 | |
| Rubyonrails Rails | =2.3.11 | |
| Rubyonrails Rails | =2.3.12 | |
| Rubyonrails Rails | =2.3.13 | |
| Rubyonrails Rails | =2.3.14 | |
| Rubyonrails Rails | =2.3.15 | |
| Rubyonrails Rails | =2.3.16 | |
| Rubyonrails Rails | =3.0.0 | |
| Rubyonrails Rails | =3.0.0-beta | |
| Rubyonrails Rails | =3.0.0-beta2 | |
| Rubyonrails Rails | =3.0.0-beta3 | |
| Rubyonrails Rails | =3.0.0-beta4 | |
| Rubyonrails Rails | =3.0.0-rc | |
| Rubyonrails Rails | =3.0.0-rc2 | |
| Rubyonrails Rails | =3.0.1 | |
| Rubyonrails Rails | =3.0.1-pre | |
| Rubyonrails Rails | =3.0.2 | |
| Rubyonrails Rails | =3.0.2-pre | |
| Rubyonrails Rails | =3.0.3 | |
| Rubyonrails Rails | =3.0.4-rc1 | |
| Rubyonrails Rails | =3.0.5 | |
| Rubyonrails Rails | =3.0.5-rc1 | |
| Rubyonrails Rails | =3.0.6 | |
| Rubyonrails Rails | =3.0.6-rc1 | |
| Rubyonrails Rails | =3.0.6-rc2 | |
| Rubyonrails Rails | =3.0.7 | |
| Rubyonrails Rails | =3.0.7-rc1 | |
| Rubyonrails Rails | =3.0.7-rc2 | |
| Rubyonrails Rails | =3.0.8 | |
| Rubyonrails Rails | =3.0.8-rc1 | |
| Rubyonrails Rails | =3.0.8-rc2 | |
| Rubyonrails Rails | =3.0.8-rc3 | |
| Rubyonrails Rails | =3.0.8-rc4 | |
| Rubyonrails Rails | =3.0.9 | |
| Rubyonrails Rails | =3.0.9-rc1 | |
| Rubyonrails Rails | =3.0.9-rc2 | |
| Rubyonrails Rails | =3.0.9-rc3 | |
| Rubyonrails Rails | =3.0.9-rc4 | |
| Rubyonrails Rails | =3.0.9-rc5 | |
| Rubyonrails Rails | =3.0.10 | |
| Rubyonrails Rails | =3.0.10-rc1 | |
| Rubyonrails Rails | =3.0.11 | |
| Rubyonrails Rails | =3.0.12 | |
| Rubyonrails Rails | =3.0.12-rc1 | |
| Rubyonrails Rails | =3.0.13 | |
| Rubyonrails Rails | =3.0.13-rc1 | |
| Rubyonrails Rails | =3.0.14 | |
| Rubyonrails Rails | =3.0.16 | |
| Rubyonrails Rails | =3.0.17 | |
| Rubyonrails Rails | =3.0.18 | |
| Rubyonrails Rails | =3.0.19 | |
| Rubyonrails Rails | =3.0.20 | |
| Rubyonrails Rails | =3.1.0 | |
| Rubyonrails Rails | =3.1.0-beta1 | |
| Rubyonrails Rails | =3.1.0-rc1 | |
| Rubyonrails Rails | =3.1.0-rc2 | |
| Rubyonrails Rails | =3.1.0-rc3 | |
| Rubyonrails Rails | =3.1.0-rc4 | |
| Rubyonrails Rails | =3.1.0-rc5 | |
| Rubyonrails Rails | =3.1.0-rc6 | |
| Rubyonrails Rails | =3.1.0-rc7 | |
| Rubyonrails Rails | =3.1.0-rc8 | |
| Rubyonrails Rails | =3.1.1 | |
| Rubyonrails Rails | =3.1.1-rc1 | |
| Rubyonrails Rails | =3.1.1-rc2 | |
| Rubyonrails Rails | =3.1.1-rc3 | |
| Rubyonrails Rails | =3.1.2 | |
| Rubyonrails Rails | =3.1.2-rc1 | |
| Rubyonrails Rails | =3.1.2-rc2 | |
| Rubyonrails Rails | =3.1.3 | |
| Rubyonrails Rails | =3.1.4 | |
| Rubyonrails Rails | =3.1.4-rc1 | |
| Rubyonrails Rails | =3.1.5 | |
| Rubyonrails Rails | =3.1.5-rc1 | |
| Rubyonrails Rails | =3.1.6 | |
| Rubyonrails Rails | =3.1.7 | |
| Rubyonrails Rails | =3.1.8 | |
| Rubyonrails Rails | =3.1.9 | |
| Rubyonrails Rails | =3.1.10 | |
| Rubyonrails Rails | =3.2.0 | |
| Rubyonrails Rails | =3.2.0-rc1 | |
| Rubyonrails Rails | =3.2.0-rc2 | |
| Rubyonrails Rails | =3.2.1 | |
| Rubyonrails Rails | =3.2.2 | |
| Rubyonrails Rails | =3.2.2-rc1 | |
| Rubyonrails Rails | =3.2.3 | |
| Rubyonrails Rails | =3.2.3-rc1 | |
| Rubyonrails Rails | =3.2.3-rc2 | |
| Rubyonrails Rails | =3.2.4 | |
| Rubyonrails Rails | =3.2.4-rc1 | |
| Rubyonrails Rails | =3.2.5 | |
| Rubyonrails Rails | =3.2.6 | |
| Rubyonrails Rails | =3.2.7 | |
| Rubyonrails Rails | =3.2.8 | |
| Rubyonrails Rails | =3.2.9 | |
| Rubyonrails Rails | =3.2.10 | |
| Rubyonrails Rails | =3.2.11 | |
| Rubyonrails Rails | =3.2.12 | |
| Rubyonrails Rails | =3.2.13 | |
| Rubyonrails Rails | =3.2.13-rc1 | |
| Rubyonrails Rails | =3.2.13-rc2 | |
| Rubyonrails Rails | =3.2.15 | |
| Rubyonrails Rails | =3.2.15-rc3 | |
| Rubyonrails Rails | =4.0.0 | |
| Rubyonrails Rails | =4.0.0-beta | |
| Rubyonrails Rails | =4.0.0-rc1 | |
| Rubyonrails Rails | =4.0.0-rc2 | |
| Rubyonrails Rails | =4.0.1 | |
| Rubyonrails Rails | =4.0.1-rc1 | |
| Rubyonrails Rails | =4.0.1-rc2 | |
| Rubyonrails Rails | =4.0.1-rc3 | |
| Rubyonrails Rails | =4.0.1-rc4 | |
| Rubyonrails Rails | =4.0.2 | |
| Rubyonrails Rails | =4.1.0-beta1 | |
| Rubyonrails Ruby On Rails | <=3.2.16 | |
| Rubyonrails Ruby On Rails | =0.5.0 | |
| Rubyonrails Ruby On Rails | =0.5.5 | |
| Rubyonrails Ruby On Rails | =0.5.6 | |
| Rubyonrails Ruby On Rails | =0.5.7 | |
| Rubyonrails Ruby On Rails | =0.6.0 | |
| Rubyonrails Ruby On Rails | =0.6.5 | |
| Rubyonrails Ruby On Rails | =0.7.0 | |
| Rubyonrails Ruby On Rails | =0.8.0 | |
| Rubyonrails Ruby On Rails | =0.8.5 | |
| Rubyonrails Ruby On Rails | =0.9.0 | |
| Rubyonrails Ruby On Rails | =3.0.4 | |
| Rubyonrails Ruby On Rails | =3.2.14 | |
| Rubyonrails Ruby On Rails | =3.2.14-rc1 | |
| Rubyonrails Ruby On Rails | =3.2.14-rc2 | |
| Rubyonrails Ruby On Rails | =3.2.15-rc1 | |
| Rubyonrails Ruby On Rails | =3.2.15-rc2 | |
| openSUSE openSUSE | =13.1 | |
| Opensuse Project Opensuse | =12.3 | |
| Redhat Cloudforms | =3.0 | |
| Redhat Enterprise Linux | =6.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2014-0081
- http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html
- http://openwall.com/lists/oss-security/2014/02/18/8
- http://rhn.redhat.com/errata/RHSA-2014-0215.html
- http://rhn.redhat.com/errata/RHSA-2014-0306.html
- https://web.archive.org/web/20140911141416/http://www.securitytracker.com/id/1029782
- https://web.archive.org/web/20170307202606/http://www.securityfocus.com/bid/65647
- https://github.com/rails/rails/commit/08d0a11a3f62718d601d39e617c834759cf59bbb
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-0081.yml
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2014-0081.yml
- https://web.archive.org/web/20201207045136/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ
- https://github.com/advisories/GHSA-m46p-ggm5-5j83 (Advisory)
- http://secunia.com/advisories/57376
- http://www.securityfocus.com/bid/65647
- http://www.securitytracker.com/id/1029782
- https://groups.google.com/forum/message/raw?msg=rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ
- collector/github-advisory-latest
- alias/GHSA-m46p-ggm5-5j83
- alias/CVE-2014-0081
- collector/github-advisory
- agent/references
- agent/type
- agent/author
- agent/last-modified-date
- agent/first-publish-date
- agent/weakness
- agent/severity
- agent/description
- agent/event
- agent/tags
- collector/nvd-cve
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- package-manager/rubygems
- vendor/rubyonrails
- canonical/rubyonrails rails
- version/rubyonrails rails/0.9.1
- version/rubyonrails rails/0.9.2
- version/rubyonrails rails/0.9.3
- version/rubyonrails rails/0.9.4
- version/rubyonrails rails/0.9.4.1
- version/rubyonrails rails/0.10.0
- version/rubyonrails rails/0.10.1
- version/rubyonrails rails/0.11.0
- version/rubyonrails rails/0.11.1
- version/rubyonrails rails/0.12.0
- version/rubyonrails rails/0.12.1
- version/rubyonrails rails/0.13.0
- version/rubyonrails rails/0.13.1
- version/rubyonrails rails/0.14.1
- version/rubyonrails rails/0.14.2
- version/rubyonrails rails/0.14.3
- version/rubyonrails rails/0.14.4
- version/rubyonrails rails/1.0.0
- version/rubyonrails rails/1.1.0
- version/rubyonrails rails/1.1.1
- version/rubyonrails rails/1.1.2
- version/rubyonrails rails/1.1.3
- version/rubyonrails rails/1.1.4
- version/rubyonrails rails/1.1.5
- version/rubyonrails rails/1.1.6
- version/rubyonrails rails/1.2.0
- version/rubyonrails rails/1.2.1
- version/rubyonrails rails/1.2.2
- version/rubyonrails rails/1.2.3
- version/rubyonrails rails/1.2.4
- version/rubyonrails rails/1.2.5
- version/rubyonrails rails/1.2.6
- version/rubyonrails rails/1.9.5
- version/rubyonrails rails/2.0.0
- version/rubyonrails rails/2.0.0-rc1
- version/rubyonrails rails/2.0.0-rc2
- version/rubyonrails rails/2.0.1
- version/rubyonrails rails/2.0.2
- version/rubyonrails rails/2.0.4
- version/rubyonrails rails/2.1.0
- version/rubyonrails rails/2.1.1
- version/rubyonrails rails/2.1.2
- version/rubyonrails rails/2.2.0
- version/rubyonrails rails/2.2.1
- version/rubyonrails rails/2.2.2
- version/rubyonrails rails/2.3.0
- version/rubyonrails rails/2.3.1
- version/rubyonrails rails/2.3.2
- version/rubyonrails rails/2.3.3
- version/rubyonrails rails/2.3.4
- version/rubyonrails rails/2.3.9
- version/rubyonrails rails/2.3.10
- version/rubyonrails rails/2.3.11
- version/rubyonrails rails/2.3.12
- version/rubyonrails rails/2.3.13
- version/rubyonrails rails/2.3.14
- version/rubyonrails rails/2.3.15
- version/rubyonrails rails/2.3.16
- version/rubyonrails rails/3.0.0
- version/rubyonrails rails/3.0.0-beta
- version/rubyonrails rails/3.0.0-beta2
- version/rubyonrails rails/3.0.0-beta3
- version/rubyonrails rails/3.0.0-beta4
- version/rubyonrails rails/3.0.0-rc
- version/rubyonrails rails/3.0.0-rc2
- version/rubyonrails rails/3.0.1
- version/rubyonrails rails/3.0.1-pre
- version/rubyonrails rails/3.0.2
- version/rubyonrails rails/3.0.2-pre
- version/rubyonrails rails/3.0.3
- version/rubyonrails rails/3.0.4-rc1
- version/rubyonrails rails/3.0.5
- version/rubyonrails rails/3.0.5-rc1
- version/rubyonrails rails/3.0.6
- version/rubyonrails rails/3.0.6-rc1
- version/rubyonrails rails/3.0.6-rc2
- version/rubyonrails rails/3.0.7
- version/rubyonrails rails/3.0.7-rc1
- version/rubyonrails rails/3.0.7-rc2
- version/rubyonrails rails/3.0.8
- version/rubyonrails rails/3.0.8-rc1
- version/rubyonrails rails/3.0.8-rc2
- version/rubyonrails rails/3.0.8-rc3
- version/rubyonrails rails/3.0.8-rc4
- version/rubyonrails rails/3.0.9
- version/rubyonrails rails/3.0.9-rc1
- version/rubyonrails rails/3.0.9-rc2
- version/rubyonrails rails/3.0.9-rc3
- version/rubyonrails rails/3.0.9-rc4
- version/rubyonrails rails/3.0.9-rc5
- version/rubyonrails rails/3.0.10
- version/rubyonrails rails/3.0.10-rc1
- version/rubyonrails rails/3.0.11
- version/rubyonrails rails/3.0.12
- version/rubyonrails rails/3.0.12-rc1
- version/rubyonrails rails/3.0.13
- version/rubyonrails rails/3.0.13-rc1
- version/rubyonrails rails/3.0.14
- version/rubyonrails rails/3.0.16
- version/rubyonrails rails/3.0.17
- version/rubyonrails rails/3.0.18
- version/rubyonrails rails/3.0.19
- version/rubyonrails rails/3.0.20
- version/rubyonrails rails/3.1.0
- version/rubyonrails rails/3.1.0-beta1
- version/rubyonrails rails/3.1.0-rc1
- version/rubyonrails rails/3.1.0-rc2
- version/rubyonrails rails/3.1.0-rc3
- version/rubyonrails rails/3.1.0-rc4
- version/rubyonrails rails/3.1.0-rc5
- version/rubyonrails rails/3.1.0-rc6
- version/rubyonrails rails/3.1.0-rc7
- version/rubyonrails rails/3.1.0-rc8
- version/rubyonrails rails/3.1.1
- version/rubyonrails rails/3.1.1-rc1
- version/rubyonrails rails/3.1.1-rc2
- version/rubyonrails rails/3.1.1-rc3
- version/rubyonrails rails/3.1.2
- version/rubyonrails rails/3.1.2-rc1
- version/rubyonrails rails/3.1.2-rc2
- version/rubyonrails rails/3.1.3
- version/rubyonrails rails/3.1.4
- version/rubyonrails rails/3.1.4-rc1
- version/rubyonrails rails/3.1.5
- version/rubyonrails rails/3.1.5-rc1
- version/rubyonrails rails/3.1.6
- version/rubyonrails rails/3.1.7
- version/rubyonrails rails/3.1.8
- version/rubyonrails rails/3.1.9
- version/rubyonrails rails/3.1.10
- version/rubyonrails rails/3.2.0
- version/rubyonrails rails/3.2.0-rc1
- version/rubyonrails rails/3.2.0-rc2
- version/rubyonrails rails/3.2.1
- version/rubyonrails rails/3.2.2
- version/rubyonrails rails/3.2.2-rc1
- version/rubyonrails rails/3.2.3
- version/rubyonrails rails/3.2.3-rc1
- version/rubyonrails rails/3.2.3-rc2
- version/rubyonrails rails/3.2.4
- version/rubyonrails rails/3.2.4-rc1
- version/rubyonrails rails/3.2.5
- version/rubyonrails rails/3.2.6
- version/rubyonrails rails/3.2.7
- version/rubyonrails rails/3.2.8
- version/rubyonrails rails/3.2.9
- version/rubyonrails rails/3.2.10
- version/rubyonrails rails/3.2.11
- version/rubyonrails rails/3.2.12
- version/rubyonrails rails/3.2.13
- version/rubyonrails rails/3.2.13-rc1
- version/rubyonrails rails/3.2.13-rc2
- version/rubyonrails rails/3.2.15
- version/rubyonrails rails/3.2.15-rc3
- version/rubyonrails rails/4.0.0
- version/rubyonrails rails/4.0.0-beta
- version/rubyonrails rails/4.0.0-rc1
- version/rubyonrails rails/4.0.0-rc2
- version/rubyonrails rails/4.0.1
- version/rubyonrails rails/4.0.1-rc1
- version/rubyonrails rails/4.0.1-rc2
- version/rubyonrails rails/4.0.1-rc3
- version/rubyonrails rails/4.0.1-rc4
- version/rubyonrails rails/4.0.2
- version/rubyonrails rails/4.1.0-beta1
- canonical/rubyonrails ruby on rails
- version/rubyonrails ruby on rails/3.2.16
- version/rubyonrails ruby on rails/0.5.0
- version/rubyonrails ruby on rails/0.5.5
- version/rubyonrails ruby on rails/0.5.6
- version/rubyonrails ruby on rails/0.5.7
- version/rubyonrails ruby on rails/0.6.0
- version/rubyonrails ruby on rails/0.6.5
- version/rubyonrails ruby on rails/0.7.0
- version/rubyonrails ruby on rails/0.8.0
- version/rubyonrails ruby on rails/0.8.5
- version/rubyonrails ruby on rails/0.9.0
- version/rubyonrails ruby on rails/3.0.4
- version/rubyonrails ruby on rails/3.2.14
- version/rubyonrails ruby on rails/3.2.14-rc1
- version/rubyonrails ruby on rails/3.2.14-rc2
- version/rubyonrails ruby on rails/3.2.15-rc1
- version/rubyonrails ruby on rails/3.2.15-rc2
- vendor/opensuse
- canonical/opensuse opensuse
- version/opensuse opensuse/13.1
- vendor/opensuse project
- canonical/opensuse project opensuse
- version/opensuse project opensuse/12.3
- vendor/redhat
- canonical/redhat cloudforms
- version/redhat cloudforms/3.0
- canonical/redhat enterprise linux
- version/redhat enterprise linux/6.0