Vulnerability Details CVE-2015-7578
Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 58.8%
CVSS Severity
CVSS v3 Score 6.1
CVSS v2 Score 4.3
References
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html
- http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html
- http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
- http://www.openwall.com/lists/oss-security/2016/01/25/11
- http://www.securitytracker.com/id/1034816
- https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4
- https://groups.google.com/forum/message/raw?msg=ruby-security-ann/uh--W4TDwmI/ygHE7hlZEgAJ
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html
- http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html
- http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
- http://www.openwall.com/lists/oss-security/2016/01/25/11
- http://www.securitytracker.com/id/1034816
- https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4
- https://groups.google.com/forum/message/raw?msg=ruby-security-ann/uh--W4TDwmI/ygHE7hlZEgAJ
Products affected by CVE-2015-7578
-
cpe:2.3:a:rubyonrails:html_sanitizer:1.0.0
-
cpe:2.3:a:rubyonrails:html_sanitizer:1.0.1
-
cpe:2.3:a:rubyonrails:html_sanitizer:1.0.2
-
cpe:2.3:a:rubyonrails:rails:4.2.0
-
cpe:2.3:a:rubyonrails:rails:4.2.1
-
cpe:2.3:a:rubyonrails:rails:4.2.2
-
cpe:2.3:a:rubyonrails:rails:4.2.3
-
cpe:2.3:a:rubyonrails:rails:4.2.4
-
cpe:2.3:a:rubyonrails:rails:4.2.5
-
cpe:2.3:a:rubyonrails:rails:4.2.5.1
-
cpe:2.3:a:rubyonrails:rails:4.2.5.2
-
cpe:2.3:a:rubyonrails:rails:4.2.6
-
cpe:2.3:a:rubyonrails:rails:5.0.0