The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
History
13 Feb 2023, 00:28
Type | Values Removed | Values Added |
---|---|---|
Summary | The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences. | |
References |
|
02 Feb 2023, 18:17
Type | Values Removed | Values Added |
---|---|---|
Summary | A cross-site scripting (XSS) flaw was found in Action Pack. A remote attacker could use this flaw to conduct XSS attacks against users of an application using Action Pack. | |
References |
|
Information
Published : 2013-03-19 22:55
Updated : 2023-12-10 11:16
NVD link : CVE-2013-1855
Mitre link : CVE-2013-1855
CVE.ORG link : CVE-2013-1855
JSON object : View
Products Affected
rubyonrails
- ruby_on_rails
- rails
redhat
- enterprise_linux
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')