Vulnerability Details CVE-2015-7578
Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 63.3%
CVSS Severity
CVSS v3 Score 6.1
CVSS v2 Score 4.3
References
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html
- http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html
- http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
- http://www.openwall.com/lists/oss-security/2016/01/25/11
- http://www.securitytracker.com/id/1034816
- https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4
- https://groups.google.com/forum/message/raw?msg=ruby-security-ann/uh--W4TDwmI/ygHE7hlZEgAJ
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html
- http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html
- http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
- http://www.openwall.com/lists/oss-security/2016/01/25/11
- http://www.securitytracker.com/id/1034816
- https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4
- https://groups.google.com/forum/message/raw?msg=ruby-security-ann/uh--W4TDwmI/ygHE7hlZEgAJ
Products affected by CVE-2015-7578
-
cpe:2.3:a:rubyonrails:html_sanitizer:1.0.0
-
cpe:2.3:a:rubyonrails:html_sanitizer:1.0.1
-
cpe:2.3:a:rubyonrails:html_sanitizer:1.0.2
-
cpe:2.3:a:rubyonrails:rails:4.2.0
-
cpe:2.3:a:rubyonrails:rails:4.2.1
-
cpe:2.3:a:rubyonrails:rails:4.2.2
-
cpe:2.3:a:rubyonrails:rails:4.2.3
-
cpe:2.3:a:rubyonrails:rails:4.2.4
-
cpe:2.3:a:rubyonrails:rails:4.2.5
-
cpe:2.3:a:rubyonrails:rails:4.2.5.1
-
cpe:2.3:a:rubyonrails:rails:4.2.5.2
-
cpe:2.3:a:rubyonrails:rails:4.2.6
-
cpe:2.3:a:rubyonrails:rails:5.0.0