Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.
No CVSS v3.1
No CVSS v3.0
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact None
Integrity Impact Partial
Availability Impact None
AV:N/AC:M/Au:N/C:N/I:P/A:N
Vendors | Products |
---|---|
Redhat |
|
Opensuse Project |
|
Rubyonrails |
|
Opensuse |
|
Configuration 1 [-]
|
Configuration 2 [-]
|
Configuration 3 [-]
|
References
Link | Resource |
---|---|
http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html | Third Party Advisory |
http://openwall.com/lists/oss-security/2014/02/18/8 | Third Party Advisory |
http://rhn.redhat.com/errata/RHSA-2014-0215.html | Third Party Advisory |
http://rhn.redhat.com/errata/RHSA-2014-0306.html | Third Party Advisory |
http://secunia.com/advisories/57376 | Permissions Required |
http://www.securityfocus.com/bid/65647 | Third Party Advisory VDB Entry |
http://www.securitytracker.com/id/1029782 | Third Party Advisory VDB Entry |
https://groups.google.com/forum/message/raw?msg=rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2014-02-20T11:00:00
Updated: 2015-06-02T14:57:00
Reserved: 2013-12-03T00:00:00
Link: CVE-2014-0081
JSON object: View
NVD Information
Status : Analyzed
Published: 2014-02-20T15:27:09.140
Modified: 2019-08-08T15:42:45.623
Link: CVE-2014-0081
JSON object: View
Redhat Information
No data.
CWE