{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-01-25T00:00:00", "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-09T09:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "[rubyonrails-security] 20160125 [CVE-2015-7580] Possible XSS vulnerability in rails-html-sanitizer", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ"}, {"name": "SUSE-SU-2016:1146", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"}, {"name": "[oss-security] 20160125 [CVE-2015-7580] Possible XSS vulnerability in rails-html-sanitizer", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/01/25/15"}, {"name": "1034816", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1034816"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78"}, {"name": "SUSE-SU-2016:0391", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"}, {"name": "openSUSE-SU-2016:0356", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2015-7580", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[rubyonrails-security] 20160125 [CVE-2015-7580] Possible XSS vulnerability in rails-html-sanitizer", "refsource": "MLIST", "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ"}, {"name": "SUSE-SU-2016:1146", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"}, {"name": "[oss-security] 20160125 [CVE-2015-7580] Possible XSS vulnerability in rails-html-sanitizer", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/01/25/15"}, {"name": "1034816", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1034816"}, {"name": "https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78", "refsource": "CONFIRM", "url": "https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78"}, {"name": "SUSE-SU-2016:0391", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"}, {"name": "openSUSE-SU-2016:0356", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"}]}}}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2015-7580", "datePublished": "2016-02-16T02:00:00", "dateReserved": "2015-09-29T00:00:00", "dateUpdated": "2017-09-09T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubyonrails:html_sanitizer:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "4CBB3D93-016A-43CA-9325-3F5D58DD4FD4", "versionEndIncluding": "1.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "9A68D41F-36A9-4B77-814D-996F4E48FA79", "vulnerable": false}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "709A19A5-8FD1-4F9C-A38C-F06242A94D68", "vulnerable": false}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "8104482C-E8F5-40A7-8B27-234FEF725FD0", "vulnerable": false}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "2CFF8677-EA00-4F7E-BFF9-272482206DB5", "vulnerable": false}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96", "vulnerable": false}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "85435026-9855-4BF4-A436-832628B005FD", "vulnerable": false}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "56C2308F-A590-47B0-9791-7865D189196F", "vulnerable": false}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "9A266882-DABA-4A4C-88E6-60E993EE0947", "vulnerable": false}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "83F1142C-3BFB-4B72-A033-81E20DB19D02", "vulnerable": false}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "1FA738A1-227B-4665-B65E-666883FFAE96", "vulnerable": false}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*", "matchCriteriaId": "6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE", "vulnerable": false}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*", "matchCriteriaId": "10789A2D-6401-4119-BFBE-2EE4C16216D3", "vulnerable": false}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*", "matchCriteriaId": "70ABD462-7142-4831-8EB6-801EC1D05573", "vulnerable": false}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "81D717DB-7C80-48AA-A774-E291D2E75D6E", "vulnerable": false}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "06B357FB-0307-4EFA-9C5B-3C2CDEA48584", "vulnerable": false}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*", "matchCriteriaId": "E4BD8840-0F1C-49D3-B843-9CFE64948018", "vulnerable": false}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "79D5B492-43F9-470F-BD21-6EFD93E78453", "vulnerable": false}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*", "matchCriteriaId": "4EC1F602-D48C-458A-A063-4050BE3BB25F", "vulnerable": false}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "F6A1C015-56AD-489C-B301-68CF1DBF1BEF", "vulnerable": false}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*", "matchCriteriaId": "FD191625-ACE2-46B6-9AAD-12D682C732C2", "vulnerable": false}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*", "matchCriteriaId": "02C7DB56-267B-4057-A9BA-36D1E58C6282", "vulnerable": false}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "EC163D49-691B-4125-A983-6CF6F6D86DEE", "vulnerable": false}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5.2:*:*:*:*:*:*:*", "matchCriteriaId": "68B537D1-1584-4D15-9C75-08ED4D45DC3A", "vulnerable": false}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.6:rc1:*:*:*:*:*:*", "matchCriteriaId": "1E3B4233-E117-4E77-A60D-3DFD5073154D", "vulnerable": false}, {"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "AF8F94CF-D504-4165-A69E-3F1198CB162A", "vulnerable": false}, {"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1.1:*:*:*:*:*:*", "matchCriteriaId": "C8C25977-AB6C-45E1-8956-871EB31B36BA", "vulnerable": false}, {"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "5F0AB6B0-3506-4332-A183-309FAC4882CE", "vulnerable": false}, {"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "6D7B4EBC-B634-4AD7-9F7A-54D14821D5AE", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node."}, {"lang": "es", "value": "Vulnerabilidad de XSS en lib/rails/html/scrubbers.rb en la gema rails-html-sanitizer en versiones anteriores a 1.0.3 para Ruby on Rails 4.2.x y 5.x permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de un nodo CDATA manipulado."}], "id": "CVE-2015-7580", "lastModified": "2019-08-08T15:16:49.297", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-02-16T02:59:03.970", "references": [{"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2016/01/25/15"}, {"source": "secalert@redhat.com", "url": "http://www.securitytracker.com/id/1034816"}, {"source": "secalert@redhat.com", "url": "https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78"}, {"source": "secalert@redhat.com", "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}