CVE-2014-0081

Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html	Third Party Advisory
http://openwall.com/lists/oss-security/2014/02/18/8	Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-0215.html	Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-0306.html	Third Party Advisory
http://secunia.com/advisories/57376	Permissions Required
http://www.securityfocus.com/bid/65647	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1029782	Third Party Advisory VDB Entry
https://groups.google.com/forum/message/raw?msg=rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:rubyonrails:rails:0.9.1:::::::*
	cpe:2.3:a:rubyonrails:rails:0.9.2:::::::*
	cpe:2.3:a:rubyonrails:rails:0.9.3:::::::*
	cpe:2.3:a:rubyonrails:rails:0.9.4:::::::*
	cpe:2.3:a:rubyonrails:rails:0.9.4.1:::::::*
	cpe:2.3:a:rubyonrails:rails:0.10.0:::::::*
	cpe:2.3:a:rubyonrails:rails:0.10.1:::::::*
	cpe:2.3:a:rubyonrails:rails:0.11.0:::::::*
	cpe:2.3:a:rubyonrails:rails:0.11.1:::::::*
	cpe:2.3:a:rubyonrails:rails:0.12.0:::::::*
	cpe:2.3:a:rubyonrails:rails:0.12.1:::::::*
	cpe:2.3:a:rubyonrails:rails:0.13.0:::::::*
	cpe:2.3:a:rubyonrails:rails:0.13.1:::::::*
	cpe:2.3:a:rubyonrails:rails:0.14.1:::::::*
	cpe:2.3:a:rubyonrails:rails:0.14.2:::::::*
	cpe:2.3:a:rubyonrails:rails:0.14.3:::::::*
	cpe:2.3:a:rubyonrails:rails:0.14.4:::::::*
	cpe:2.3:a:rubyonrails:rails:1.0.0:::::::*
	cpe:2.3:a:rubyonrails:rails:1.1.0:::::::*
	cpe:2.3:a:rubyonrails:rails:1.1.1:::::::*
	cpe:2.3:a:rubyonrails:rails:1.1.2:::::::*
	cpe:2.3:a:rubyonrails:rails:1.1.3:::::::*
	cpe:2.3:a:rubyonrails:rails:1.1.4:::::::*
	cpe:2.3:a:rubyonrails:rails:1.1.5:::::::*
	cpe:2.3:a:rubyonrails:rails:1.1.6:::::::*
	cpe:2.3:a:rubyonrails:rails:1.2.0:::::::*
	cpe:2.3:a:rubyonrails:rails:1.2.1:::::::*
	cpe:2.3:a:rubyonrails:rails:1.2.2:::::::*
	cpe:2.3:a:rubyonrails:rails:1.2.3:::::::*
	cpe:2.3:a:rubyonrails:rails:1.2.4:::::::*
	cpe:2.3:a:rubyonrails:rails:1.2.5:::::::*
	cpe:2.3:a:rubyonrails:rails:1.2.6:::::::*
	cpe:2.3:a:rubyonrails:rails:1.9.5:::::::*
	cpe:2.3:a:rubyonrails:rails:2.0.0:::::::*
	cpe:2.3:a:rubyonrails:rails:2.0.0:rc1::::::
	cpe:2.3:a:rubyonrails:rails:2.0.0:rc2::::::
	cpe:2.3:a:rubyonrails:rails:2.0.1:::::::*
	cpe:2.3:a:rubyonrails:rails:2.0.2:::::::*
	cpe:2.3:a:rubyonrails:rails:2.0.4:::::::*
	cpe:2.3:a:rubyonrails:rails:2.1.0:::::::*
	cpe:2.3:a:rubyonrails:rails:2.1.1:::::::*
	cpe:2.3:a:rubyonrails:rails:2.1.2:::::::*
	cpe:2.3:a:rubyonrails:rails:2.2.0:::::::*
	cpe:2.3:a:rubyonrails:rails:2.2.1:::::::*
	cpe:2.3:a:rubyonrails:rails:2.2.2:::::::*
	cpe:2.3:a:rubyonrails:rails:2.3.0:::::::*
	cpe:2.3:a:rubyonrails:rails:2.3.1:::::::*
	cpe:2.3:a:rubyonrails:rails:2.3.2:::::::*
	cpe:2.3:a:rubyonrails:rails:2.3.3:::::::*
	cpe:2.3:a:rubyonrails:rails:2.3.4:::::::*
	cpe:2.3:a:rubyonrails:rails:2.3.9:::::::*
	cpe:2.3:a:rubyonrails:rails:2.3.10:::::::*
	cpe:2.3:a:rubyonrails:rails:2.3.11:::::::*
	cpe:2.3:a:rubyonrails:rails:2.3.12:::::::*
	cpe:2.3:a:rubyonrails:rails:2.3.13:::::::*
	cpe:2.3:a:rubyonrails:rails:2.3.14:::::::*
	cpe:2.3:a:rubyonrails:rails:2.3.15:::::::*
	cpe:2.3:a:rubyonrails:rails:2.3.16:::::::*
	cpe:2.3:a:rubyonrails:rails:3.0.0:::::::*
	cpe:2.3:a:rubyonrails:rails:3.0.0:beta::::::
	cpe:2.3:a:rubyonrails:rails:3.0.0:beta2::::::
	cpe:2.3:a:rubyonrails:rails:3.0.0:beta3::::::
	cpe:2.3:a:rubyonrails:rails:3.0.0:beta4::::::
	cpe:2.3:a:rubyonrails:rails:3.0.0:rc::::::
cpe:2.3:a:rubyonrails:rails:3.0.0:rc2::::::
cpe:2.3:a:rubyonrails:rails:3.0.1:::::::*
cpe:2.3:a:rubyonrails:rails:3.0.1:pre::::::
cpe:2.3:a:rubyonrails:rails:3.0.2:::::::*
cpe:2.3:a:rubyonrails:rails:3.0.2:pre::::::
cpe:2.3:a:rubyonrails:rails:3.0.3:::::::*
cpe:2.3:a:rubyonrails:rails:3.0.4:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.0.5:::::::*
cpe:2.3:a:rubyonrails:rails:3.0.5:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.0.6:::::::*
cpe:2.3:a:rubyonrails:rails:3.0.6:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.0.6:rc2::::::
cpe:2.3:a:rubyonrails:rails:3.0.7:::::::*
cpe:2.3:a:rubyonrails:rails:3.0.7:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.0.7:rc2::::::
cpe:2.3:a:rubyonrails:rails:3.0.8:::::::*
cpe:2.3:a:rubyonrails:rails:3.0.8:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.0.8:rc2::::::
cpe:2.3:a:rubyonrails:rails:3.0.8:rc3::::::
cpe:2.3:a:rubyonrails:rails:3.0.8:rc4::::::
cpe:2.3:a:rubyonrails:rails:3.0.9:::::::*
cpe:2.3:a:rubyonrails:rails:3.0.9:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.0.9:rc2::::::
cpe:2.3:a:rubyonrails:rails:3.0.9:rc3::::::
cpe:2.3:a:rubyonrails:rails:3.0.9:rc4::::::
cpe:2.3:a:rubyonrails:rails:3.0.9:rc5::::::
cpe:2.3:a:rubyonrails:rails:3.0.10:::::::*
cpe:2.3:a:rubyonrails:rails:3.0.10:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.0.11:::::::*
cpe:2.3:a:rubyonrails:rails:3.0.12:::::::*
cpe:2.3:a:rubyonrails:rails:3.0.12:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.0.13:::::::*
cpe:2.3:a:rubyonrails:rails:3.0.13:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.0.14:::::::*
cpe:2.3:a:rubyonrails:rails:3.0.16:::::::*
cpe:2.3:a:rubyonrails:rails:3.0.17:::::::*
cpe:2.3:a:rubyonrails:rails:3.0.18:::::::*
cpe:2.3:a:rubyonrails:rails:3.0.19:::::::*
cpe:2.3:a:rubyonrails:rails:3.0.20:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.0:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.0:beta1::::::
cpe:2.3:a:rubyonrails:rails:3.1.0:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.1.0:rc2::::::
cpe:2.3:a:rubyonrails:rails:3.1.0:rc3::::::
cpe:2.3:a:rubyonrails:rails:3.1.0:rc4::::::
cpe:2.3:a:rubyonrails:rails:3.1.0:rc5::::::
cpe:2.3:a:rubyonrails:rails:3.1.0:rc6::::::
cpe:2.3:a:rubyonrails:rails:3.1.0:rc7::::::
cpe:2.3:a:rubyonrails:rails:3.1.0:rc8::::::
cpe:2.3:a:rubyonrails:rails:3.1.1:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.1:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.1.1:rc2::::::
cpe:2.3:a:rubyonrails:rails:3.1.1:rc3::::::
cpe:2.3:a:rubyonrails:rails:3.1.2:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.2:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.1.2:rc2::::::
cpe:2.3:a:rubyonrails:rails:3.1.3:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.4:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.4:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.1.5:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.5:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.1.6:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.7:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.8:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.9:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.10:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.0:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.0:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.2.0:rc2::::::
cpe:2.3:a:rubyonrails:rails:3.2.1:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.2:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.2:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.2.3:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.3:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.2.3:rc2::::::
cpe:2.3:a:rubyonrails:rails:3.2.4:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.4:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.2.5:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.6:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.7:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.8:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.9:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.10:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.11:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.12:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.13:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.13:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.2.13:rc2::::::
cpe:2.3:a:rubyonrails:rails:3.2.15:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.15:rc3::::::
cpe:2.3:a:rubyonrails:rails:4.0.0:-::::::
cpe:2.3:a:rubyonrails:rails:4.0.0:beta::::::
cpe:2.3:a:rubyonrails:rails:4.0.0:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.0.0:rc2::::::
cpe:2.3:a:rubyonrails:rails:4.0.1:-::::::
cpe:2.3:a:rubyonrails:rails:4.0.1:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.0.1:rc2::::::
cpe:2.3:a:rubyonrails:rails:4.0.1:rc3::::::
cpe:2.3:a:rubyonrails:rails:4.0.1:rc4::::::
cpe:2.3:a:rubyonrails:rails:4.0.2:::::::*
cpe:2.3:a:rubyonrails:rails:4.1.0:beta1::::::
cpe:2.3:a:rubyonrails:ruby_on_rails::::::::
cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:::::::*
cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:::::::*
cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:::::::*
cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:::::::*
cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:::::::*
cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:::::::*
cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:::::::*
cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:::::::*
cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:::::::*
cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:::::::*
cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:::::::*
cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:::::::*
cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc1::::::
cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc2::::::
cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc1::::::
cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc2::::::

Configuration 2 (hide)

OR	cpe:2.3:o:opensuse:opensuse:13.1:::::::*
	cpe:2.3:o:opensuse_project:opensuse:12.3:::::::*

Configuration 3 (hide)

OR	cpe:2.3:a:redhat:cloudforms:3.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:6.0:::::::*

History

No history.

Information

Published : 2014-02-20 15:27

Updated : 2023-12-10 11:31

NVD link : CVE-2014-0081

Mitre link : CVE-2014-0081

CVE.ORG link : CVE-2014-0081

JSON object : View

Products Affected

rubyonrails

ruby_on_rails
rails

opensuse

opensuse

redhat

cloudforms
enterprise_linux

opensuse_project

opensuse

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

4.3 /10