Vulnerable Library - actionpack-3.0.9.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-3.0.9.gem

Dependency Hierarchy:

• rails-3.0.9.gem (Root Library)
  • railties-3.0.9.gem
    • ❌ actionpack-3.0.9.gem (Vulnerable Library)

Found in HEAD commit: 0c785fd9400921392b8ee5e3e166f30364359ecc

Found in base branch: master

Vulnerability Details

The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences.

Publish Date: 2013-03-19

URL: CVE-2013-1855

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-1855

Release Date: 2013-03-19

Fix Resolution: 2.3.18,3.1.12,3.2.13