CVE-2015-7579: XSS
First published: Tue Feb 16 2016(Updated: )
Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Rubyonrails Html Sanitizer | <=1.0.2 | |
| Rubyonrails Rails | =4.2.0 | |
| Rubyonrails Rails | =4.2.0-beta1 | |
| Rubyonrails Rails | =4.2.0-beta2 | |
| Rubyonrails Rails | =4.2.0-beta3 | |
| Rubyonrails Rails | =4.2.0-beta4 | |
| Rubyonrails Rails | =4.2.0-rc1 | |
| Rubyonrails Rails | =4.2.0-rc2 | |
| Rubyonrails Rails | =4.2.0-rc3 | |
| Rubyonrails Rails | =4.2.1 | |
| Rubyonrails Rails | =4.2.1-rc1 | |
| Rubyonrails Rails | =4.2.1-rc2 | |
| Rubyonrails Rails | =4.2.1-rc3 | |
| Rubyonrails Rails | =4.2.1-rc4 | |
| Rubyonrails Rails | =4.2.2 | |
| Rubyonrails Rails | =4.2.3 | |
| Rubyonrails Rails | =4.2.3-rc1 | |
| Rubyonrails Rails | =4.2.4 | |
| Rubyonrails Rails | =4.2.4-rc1 | |
| Rubyonrails Rails | =4.2.5 | |
| Rubyonrails Rails | =4.2.5-rc1 | |
| Rubyonrails Rails | =4.2.5-rc2 | |
| Rubyonrails Rails | =4.2.5.1 | |
| Rubyonrails Rails | =4.2.5.2 | |
| Rubyonrails Rails | =4.2.6-rc1 | |
| Rubyonrails Rails | =5.0.0-beta1 | |
| Rubyonrails Rails | =5.0.0-beta1.1 | |
| Rubyonrails Rails | =5.0.0-beta2 | |
| Rubyonrails Rails | =5.0.0-beta3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html
- http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html
- http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
- http://www.openwall.com/lists/oss-security/2016/01/25/12
- http://www.securitytracker.com/id/1034816
- https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f
- https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ
- collector/nvd-index
- agent/weakness
- agent/references
- agent/author
- agent/severity
- agent/tags
- agent/type
- agent/description
- agent/event
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- vendor/rubyonrails
- canonical/rubyonrails html sanitizer
- version/rubyonrails html sanitizer/1.0.2
- canonical/rubyonrails rails
- version/rubyonrails rails/4.2.0
- version/rubyonrails rails/4.2.0-beta1
- version/rubyonrails rails/4.2.0-beta2
- version/rubyonrails rails/4.2.0-beta3
- version/rubyonrails rails/4.2.0-beta4
- version/rubyonrails rails/4.2.0-rc1
- version/rubyonrails rails/4.2.0-rc2
- version/rubyonrails rails/4.2.0-rc3
- version/rubyonrails rails/4.2.1
- version/rubyonrails rails/4.2.1-rc1
- version/rubyonrails rails/4.2.1-rc2
- version/rubyonrails rails/4.2.1-rc3
- version/rubyonrails rails/4.2.1-rc4
- version/rubyonrails rails/4.2.2
- version/rubyonrails rails/4.2.3
- version/rubyonrails rails/4.2.3-rc1
- version/rubyonrails rails/4.2.4
- version/rubyonrails rails/4.2.4-rc1
- version/rubyonrails rails/4.2.5
- version/rubyonrails rails/4.2.5-rc1
- version/rubyonrails rails/4.2.5-rc2
- version/rubyonrails rails/4.2.5.1
- version/rubyonrails rails/4.2.5.2
- version/rubyonrails rails/4.2.6-rc1
- version/rubyonrails rails/5.0.0-beta1
- version/rubyonrails rails/5.0.0-beta1.1
- version/rubyonrails rails/5.0.0-beta2
- version/rubyonrails rails/5.0.0-beta3