CVE-2013-1855 (Medium) detected in actionpack-3.0.9.gem
mend-bolt-for-github opened this issue · comments
CVE-2013-1855 - Medium Severity Vulnerability
Vulnerable Library - actionpack-3.0.9.gem
Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.
Library home page: https://rubygems.org/gems/actionpack-3.0.9.gem
Dependency Hierarchy:
- rails-3.0.9.gem (Root Library)
- railties-3.0.9.gem
- ❌ actionpack-3.0.9.gem (Vulnerable Library)
- railties-3.0.9.gem
Found in HEAD commit: 0c785fd9400921392b8ee5e3e166f30364359ecc
Found in base branch: master
Vulnerability Details
The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences.
Publish Date: 2013-03-19
URL: CVE-2013-1855
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: N/A
- Attack Complexity: N/A
- Privileges Required: N/A
- User Interaction: N/A
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-1855
Release Date: 2013-03-19
Fix Resolution: 2.3.18,3.1.12,3.2.13
Step up your Open Source Security Game with WhiteSource here