CVE-2015-7580: XSS
First published: Tue Feb 16 2016(Updated: )
Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Rubyonrails Html Sanitizer | <=1.0.2 | |
| Rubyonrails Rails | =4.2.0 | |
| Rubyonrails Rails | =4.2.0-beta1 | |
| Rubyonrails Rails | =4.2.0-beta2 | |
| Rubyonrails Rails | =4.2.0-beta3 | |
| Rubyonrails Rails | =4.2.0-beta4 | |
| Rubyonrails Rails | =4.2.0-rc1 | |
| Rubyonrails Rails | =4.2.0-rc2 | |
| Rubyonrails Rails | =4.2.0-rc3 | |
| Rubyonrails Rails | =4.2.1 | |
| Rubyonrails Rails | =4.2.1-rc1 | |
| Rubyonrails Rails | =4.2.1-rc2 | |
| Rubyonrails Rails | =4.2.1-rc3 | |
| Rubyonrails Rails | =4.2.1-rc4 | |
| Rubyonrails Rails | =4.2.2 | |
| Rubyonrails Rails | =4.2.3 | |
| Rubyonrails Rails | =4.2.3-rc1 | |
| Rubyonrails Rails | =4.2.4 | |
| Rubyonrails Rails | =4.2.4-rc1 | |
| Rubyonrails Rails | =4.2.5 | |
| Rubyonrails Rails | =4.2.5-rc1 | |
| Rubyonrails Rails | =4.2.5-rc2 | |
| Rubyonrails Rails | =4.2.5.1 | |
| Rubyonrails Rails | =4.2.5.2 | |
| Rubyonrails Rails | =4.2.6-rc1 | |
| Rubyonrails Rails | =5.0.0-beta1 | |
| Rubyonrails Rails | =5.0.0-beta1.1 | |
| Rubyonrails Rails | =5.0.0-beta2 | |
| Rubyonrails Rails | =5.0.0-beta3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html
- http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
- http://www.openwall.com/lists/oss-security/2016/01/25/15
- http://www.securitytracker.com/id/1034816
- https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78
- https://groups.google.com/forum/message/raw?msg=rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ
- collector/nvd-index
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/description
- agent/type
- agent/event
- agent/softwarecombine
- agent/last-modified-date
- agent/tags
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- vendor/rubyonrails
- canonical/rubyonrails html sanitizer
- version/rubyonrails html sanitizer/1.0.2
- canonical/rubyonrails rails
- version/rubyonrails rails/4.2.0
- version/rubyonrails rails/4.2.0-beta1
- version/rubyonrails rails/4.2.0-beta2
- version/rubyonrails rails/4.2.0-beta3
- version/rubyonrails rails/4.2.0-beta4
- version/rubyonrails rails/4.2.0-rc1
- version/rubyonrails rails/4.2.0-rc2
- version/rubyonrails rails/4.2.0-rc3
- version/rubyonrails rails/4.2.1
- version/rubyonrails rails/4.2.1-rc1
- version/rubyonrails rails/4.2.1-rc2
- version/rubyonrails rails/4.2.1-rc3
- version/rubyonrails rails/4.2.1-rc4
- version/rubyonrails rails/4.2.2
- version/rubyonrails rails/4.2.3
- version/rubyonrails rails/4.2.3-rc1
- version/rubyonrails rails/4.2.4
- version/rubyonrails rails/4.2.4-rc1
- version/rubyonrails rails/4.2.5
- version/rubyonrails rails/4.2.5-rc1
- version/rubyonrails rails/4.2.5-rc2
- version/rubyonrails rails/4.2.5.1
- version/rubyonrails rails/4.2.5.2
- version/rubyonrails rails/4.2.6-rc1
- version/rubyonrails rails/5.0.0-beta1
- version/rubyonrails rails/5.0.0-beta1.1
- version/rubyonrails rails/5.0.0-beta2
- version/rubyonrails rails/5.0.0-beta3