CVE-2020-15169 - OpenCVE

In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Debian	Debian Linux
Action View Project	Action View
Fedoraproject	Fedora

Configuration 1 [-]

OR	cpe:2.3:a:action_view_project:action_view::::::ruby::*
	cpe:2.3:a:action_view_project:action_view::::::ruby::*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/rails/rails/security/advisories/GHSA-cfjv-5498-mph5	Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/10/msg00015.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/
https://www.debian.org/security/2020/dsa-4766	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-09-11T15:50:12

Updated: 2020-10-09T20:06:10

Reserved: 2020-06-25T00:00:00

Link: CVE-2020-15169

JSON object: View

NVD Information

Status : Modified

Published: 2020-09-11T16:15:12.287

Modified: 2023-11-07T03:17:26.487

Link: CVE-2020-15169

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "actionview", "vendor": "rails", "versions": [{"status": "affected", "version": "< 5.2.4.4"}, {"status": "affected", "version": ">= 6.0.0.0, < 6.0.3.3"}]}], "descriptions": [{"lang": "en", "value": "In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-10-09T20:06:10", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rails/rails/security/advisories/GHSA-cfjv-5498-mph5"}, {"name": "DSA-4766", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2020/dsa-4766"}, {"name": "FEDORA-2020-4dd34860a3", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/"}, {"name": "[debian-lts-announce] 20201009 [SECURITY] [DLA 2403-1] rails security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00015.html"}], "source": {"advisory": "GHSA-cfjv-5498-mph5", "discovery": "UNKNOWN"}, "title": "XSS in Action View", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15169", "STATE": "PUBLIC", "TITLE": "XSS in Action View"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "actionview", "version": {"version_data": [{"version_value": "< 5.2.4.4"}, {"version_value": ">= 6.0.0.0, < 6.0.3.3"}]}}]}, "vendor_name": "rails"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://github.com/rails/rails/security/advisories/GHSA-cfjv-5498-mph5", "refsource": "CONFIRM", "url": "https://github.com/rails/rails/security/advisories/GHSA-cfjv-5498-mph5"}, {"name": "DSA-4766", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4766"}, {"name": "FEDORA-2020-4dd34860a3", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/"}, {"name": "[debian-lts-announce] 20201009 [SECURITY] [DLA 2403-1] rails security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00015.html"}]}, "source": {"advisory": "GHSA-cfjv-5498-mph5", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15169", "datePublished": "2020-09-11T15:50:12", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2020-10-09T20:06:10", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:action_view_project:action_view:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "385E66EA-7A3C-46CF-8587-42D72DC51AD4", "versionEndExcluding": "5.2.4.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:action_view_project:action_view:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "BF1D503E-345C-4FD5-8904-AE2079A7F704", "versionEndExcluding": "6.0.3.3", "versionStartIncluding": "6.0.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory."}, {"lang": "es", "value": "En Action View versiones anteriores a 5.2.4.4 y 6.0.3.3, se presenta una potencial vulnerabilidad de tipo Cross-Site Scripting (XSS) en los asistentes de traducci\u00f3n de Action View. Las vistas que permiten al usuario controlar el valor predeterminado (no encontrado) de los asistentes \"t\" y \"translate\" podr\u00edan ser susceptibles a ataques de tipo XSS. Cuando es pasada una cadena no segura hacia HTML como predeterminada para una clave de traducci\u00f3n faltante llamada html o terminando en _html, la cadena predeterminada es marcada incorrectamente como segura para HTML y no escapaba. Esto est\u00e1 parcheado en las versiones 6.0.3.3 y 5.2.4.4. Se propone una soluci\u00f3n alternativa sin actualizar en el aviso de fuente"}], "id": "CVE-2020-15169", "lastModified": "2023-11-07T03:17:26.487", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-09-11T16:15:12.287", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/rails/rails/security/advisories/GHSA-cfjv-5498-mph5"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00015.html"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2020/dsa-4766"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}