Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2013-1855 (GCVE-0-2013-1855)
Vulnerability from cvelistv5 – Published: 2013-03-19 22:00 – Updated: 2024-08-06 15:20
VLAI?
EPSS
Summary
The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:20:35.175Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "APPLE-SA-2013-10-22-5",
"tags": [
"vendor-advisory",
"x_refsource_APPLE",
"x_transferred"
],
"url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html"
},
{
"name": "[rubyonrails-security] 20130318 [CVE-2013-1855] XSS vulnerability in sanitize_css in Action Pack",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/8ed835a97cdd1afd?dmode=source\u0026output=gplain"
},
{
"name": "openSUSE-SU-2014:0019",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html"
},
{
"name": "openSUSE-SU-2013:0662",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://support.apple.com/kb/HT5784"
},
{
"name": "RHSA-2013:0698",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0698.html"
},
{
"name": "APPLE-SA-2013-06-04-1",
"tags": [
"vendor-advisory",
"x_refsource_APPLE",
"x_transferred"
],
"url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"name": "openSUSE-SU-2013:0661",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00072.html"
},
{
"name": "RHSA-2014:1863",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-03-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \\n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-12-09T18:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "APPLE-SA-2013-10-22-5",
"tags": [
"vendor-advisory",
"x_refsource_APPLE"
],
"url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html"
},
{
"name": "[rubyonrails-security] 20130318 [CVE-2013-1855] XSS vulnerability in sanitize_css in Action Pack",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/8ed835a97cdd1afd?dmode=source\u0026output=gplain"
},
{
"name": "openSUSE-SU-2014:0019",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html"
},
{
"name": "openSUSE-SU-2013:0662",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://support.apple.com/kb/HT5784"
},
{
"name": "RHSA-2013:0698",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0698.html"
},
{
"name": "APPLE-SA-2013-06-04-1",
"tags": [
"vendor-advisory",
"x_refsource_APPLE"
],
"url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"name": "openSUSE-SU-2013:0661",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00072.html"
},
{
"name": "RHSA-2014:1863",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-1855",
"datePublished": "2013-03-19T22:00:00.000Z",
"dateReserved": "2013-02-19T00:00:00.000Z",
"dateUpdated": "2024-08-06T15:20:35.175Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CERTA-2013-AVI-603
Vulnerability from certfr_avis - Published: 2013-10-24 - Updated: 2013-10-24
De multiples vulnérabilités ont été corrigées dans Apple OS X Server. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et un déni de service à distance.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Versions antérieures à OS X Server v3.0
Impacted products
| Vendor | Product | Description |
|---|
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [],
"affected_systems_content": "\u003cP\u003eVersions ant\u00e9rieures \u00e0 OS X Server v3.0\u003c/P\u003e",
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2013-1856",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1856"
},
{
"name": "CVE-2013-1855",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1855"
},
{
"name": "CVE-2012-3547",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-3547"
},
{
"name": "CVE-2013-5143",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-5143"
},
{
"name": "CVE-2013-0269",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0269"
},
{
"name": "CVE-2013-1854",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1854"
},
{
"name": "CVE-2013-1857",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1857"
}
],
"initial_release_date": "2013-10-24T00:00:00",
"last_revision_date": "2013-10-24T00:00:00",
"links": [],
"reference": "CERTA-2013-AVI-603",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2013-10-24T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eApple OS X Server\u003c/span\u003e. Elles permettent \u00e0 un attaquant\nde provoquer une ex\u00e9cution de code arbitraire \u00e0 distance et un d\u00e9ni de\nservice \u00e0 distance.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Apple OS X Server",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apple HT5999 du 22 octobre 2013",
"url": "http://support.apple.com/kb/HT5999"
}
]
}
CERTA-2013-AVI-193
Vulnerability from certfr_avis - Published: 2013-03-20 - Updated: 2013-03-20
De multiples vulnérabilités ont été corrigées dans Ruby on Rails. Elles permettent à un attaquant de provoquer un déni de service à distance et une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | Ruby on Rails | versions antérieures à Ruby on Rails 3.1.12 (pour la branche 3.1) | ||
| Ruby on Rails | Ruby on Rails | versions antérieures à Ruby on Rails 2.3.18 | ||
| Ruby on Rails | Ruby on Rails | Versions antérieures à Ruby on Rails 3.2.13 (pour la branche 3.2) |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "versions ant\u00e9rieures \u00e0 Ruby on Rails 3.1.12 (pour la branche 3.1)",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "versions ant\u00e9rieures \u00e0 Ruby on Rails 2.3.18",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Versions ant\u00e9rieures \u00e0 Ruby on Rails 3.2.13 (pour la branche 3.2)",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2013-1856",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1856"
},
{
"name": "CVE-2013-1855",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1855"
},
{
"name": "CVE-2013-1854",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1854"
},
{
"name": "CVE-2013-1857",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1857"
}
],
"initial_release_date": "2013-03-20T00:00:00",
"last_revision_date": "2013-03-20T00:00:00",
"links": [],
"reference": "CERTA-2013-AVI-193",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2013-03-20T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eRuby on Rails\u003c/span\u003e. Elles permettent \u00e0 un attaquant de\nprovoquer un d\u00e9ni de service \u00e0 distance et une injection de code\nindirecte \u00e0 distance (XSS).\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Ruby on Rails",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails du 18 mars 2013",
"url": "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/"
}
]
}
CERTA-2013-AVI-340
Vulnerability from certfr_avis - Published: 2013-06-05 - Updated: 2013-06-05
De multiples vulnérabilités ont été corrigées dans Apple OS X. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Versions antérieures à OS X Mountain Lion 10.8.4
Impacted products
| Vendor | Product | Description |
|---|
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [],
"affected_systems_content": "\u003cP\u003eVersions ant\u00e9rieures \u00e0 OS X Mountain Lion 10.8.4\u003c/P\u003e",
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2013-0982",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0982"
},
{
"name": "CVE-2012-0050",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-0050"
},
{
"name": "CVE-2013-0984",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0984"
},
{
"name": "CVE-2013-0277",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0277"
},
{
"name": "CVE-2013-1856",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1856"
},
{
"name": "CVE-2011-3210",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3210"
},
{
"name": "CVE-2013-1855",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1855"
},
{
"name": "CVE-2013-0276",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0276"
},
{
"name": "CVE-2011-4619",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-4619"
},
{
"name": "CVE-2013-0985",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0985"
},
{
"name": "CVE-2012-2110",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-2110"
},
{
"name": "CVE-2011-4576",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-4576"
},
{
"name": "CVE-2011-4577",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-4577"
},
{
"name": "CVE-2013-0983",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0983"
},
{
"name": "CVE-2013-0989",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0989"
},
{
"name": "CVE-2011-4108",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-4108"
},
{
"name": "CVE-2013-0990",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0990"
},
{
"name": "CVE-2013-0155",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0155"
},
{
"name": "CVE-2013-0986",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0986"
},
{
"name": "CVE-2013-0988",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0988"
},
{
"name": "CVE-2013-1024",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1024"
},
{
"name": "CVE-2013-0975",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0975"
},
{
"name": "CVE-2011-4109",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-4109"
},
{
"name": "CVE-2011-3207",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3207"
},
{
"name": "CVE-2012-5519",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5519"
},
{
"name": "CVE-2011-1945",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-1945"
},
{
"name": "CVE-2013-0987",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0987"
},
{
"name": "CVE-2012-4929",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-4929"
},
{
"name": "CVE-2013-1854",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1854"
},
{
"name": "CVE-2013-0333",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0333"
},
{
"name": "CVE-2012-2333",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-2333"
},
{
"name": "CVE-2013-1857",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1857"
},
{
"name": "CVE-2012-2131",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-2131"
}
],
"initial_release_date": "2013-06-05T00:00:00",
"last_revision_date": "2013-06-05T00:00:00",
"links": [],
"reference": "CERTA-2013-AVI-340",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2013-06-05T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eApple OS X\u003c/span\u003e. Elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un contournement\nde la politique de s\u00e9curit\u00e9 et une atteinte \u00e0 la confidentialit\u00e9 des\ndonn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Apple OS X",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apple HT5784 du 04 juin 2013",
"url": "http://support.apple.com/kb/HT5784"
}
]
}
GHSA-Q759-HWVC-M3JG
Vulnerability from github – Published: 2017-10-24 18:33 – Updated: 2023-08-25 20:06
VLAI?
Summary
actionpack Cross-site Scripting vulnerability
Details
The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.18"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.1.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "3.2.0"
},
{
"fixed": "3.2.13"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2013-1855"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:51:17Z",
"nvd_published_at": "2013-03-19T22:55:00Z",
"severity": "MODERATE"
},
"details": "The `sanitize_css` method in `lib/action_controller/vendor/html-scanner/html/sanitizer.rb` in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle `\\n` (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences.",
"id": "GHSA-q759-hwvc-m3jg",
"modified": "2023-08-25T20:06:33Z",
"published": "2017-10-24T18:33:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1855"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2013:0698"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2014:1863"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2013-1855"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=921331"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2013-1855.yml"
},
{
"type": "WEB",
"url": "https://groups.google.com/group/rubyonrails-security/msg/8ed835a97cdd1afd?dmode=source\u0026output=gplain"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20130609174600/http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20131109010518/http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00072.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0698.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"type": "WEB",
"url": "http://support.apple.com/kb/HT5784"
},
{
"type": "WEB",
"url": "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "actionpack Cross-site Scripting vulnerability"
}
GSD-2013-1855
Vulnerability from gsd - Updated: 2013-03-19 00:00Details
The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences. A cross-site scripting (XSS) flaw was found in Action Pack. A remote attacker could use this flaw to conduct XSS attacks against users of an application using Action Pack.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-1855",
"description": "The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \\n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences.",
"id": "GSD-2013-1855",
"references": [
"https://www.suse.com/security/cve/CVE-2013-1855.html",
"https://www.debian.org/security/2013/dsa-2655",
"https://access.redhat.com/errata/RHSA-2014:1863",
"https://access.redhat.com/errata/RHSA-2013:0698"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "actionpack",
"purl": "pkg:gem/actionpack"
}
}
],
"aliases": [
"CVE-2013-1855",
"OSVDB-91452"
],
"details": "The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \\n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences. A cross-site scripting (XSS) flaw was found in Action Pack. A remote attacker could use this flaw to conduct XSS attacks against users of an application using Action Pack.",
"id": "GSD-2013-1855",
"modified": "2013-03-19T00:00:00.000Z",
"published": "2013-03-19T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1855"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 4.3,
"type": "CVSS_V2"
}
],
"summary": "CVE-2013-1855 rubygem-actionpack: css_sanitization: XSS vulnerability in sanitize_css"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1855",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \\n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html",
"refsource": "MISC",
"url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"name": "http://support.apple.com/kb/HT5784",
"refsource": "MISC",
"url": "http://support.apple.com/kb/HT5784"
},
{
"name": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html",
"refsource": "MISC",
"url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html"
},
{
"name": "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/",
"refsource": "MISC",
"url": "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/"
},
{
"name": "http://rhn.redhat.com/errata/RHSA-2014-1863.html",
"refsource": "MISC",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"name": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00072.html",
"refsource": "MISC",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00072.html"
},
{
"name": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html",
"refsource": "MISC",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html"
},
{
"name": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html",
"refsource": "MISC",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html"
},
{
"name": "http://rhn.redhat.com/errata/RHSA-2013-0698.html",
"refsource": "MISC",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0698.html"
},
{
"name": "https://groups.google.com/group/rubyonrails-security/msg/8ed835a97cdd1afd?dmode=source\u0026output=gplain",
"refsource": "MISC",
"url": "https://groups.google.com/group/rubyonrails-security/msg/8ed835a97cdd1afd?dmode=source\u0026output=gplain"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-1855",
"cvss_v2": 4.3,
"date": "2013-03-19",
"description": "The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \\n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences. A cross-site scripting (XSS) flaw was found in Action Pack. A remote attacker could use this flaw to conduct XSS attacks against users of an application using Action Pack.",
"framework": "rails",
"gem": "actionpack",
"osvdb": 91452,
"patched_versions": [
"~\u003e 2.3.18",
"~\u003e 3.1.12",
"\u003e= 3.2.13"
],
"title": "CVE-2013-1855 rubygem-actionpack: css_sanitization: XSS vulnerability in sanitize_css",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1855"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c2.3.18 || \u003e=2.4.0 \u003c3.1.12 || \u003e=3.2.0 \u003c3.2.13",
"affected_versions": "All versions before 2.3.18, all versions starting from 2.4.0 before 3.1.12, all versions starting from 3.2.0 before 3.2.13",
"cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-79",
"CWE-937"
],
"date": "2019-08-08",
"description": "Carefully crafted text can bypass the sanitization provided in the `sanitize_css` method in Action Pack.",
"fixed_versions": [
"2.3.18",
"3.1.12",
"3.2.13"
],
"identifier": "CVE-2013-1855",
"identifiers": [
"CVE-2013-1855"
],
"not_impacted": "None",
"package_slug": "gem/actionpack",
"pubdate": "2013-03-19",
"solution": "Upgrade, patches and workarounds available (see source)",
"title": "XSS vulnerability in sanitize_css in Action Pack",
"urls": [
"https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_QHo4BqnN8"
],
"uuid": "2ee780ef-3b6b-46bc-a20e-4bf5bc73b75b"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.3.17",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.2.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.1.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.1.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.2.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.2.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.2.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.9.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.15:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.16:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.1.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1855"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \\n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[rubyonrails-security] 20130318 [CVE-2013-1855] XSS vulnerability in sanitize_css in Action Pack",
"refsource": "MLIST",
"tags": [],
"url": "https://groups.google.com/group/rubyonrails-security/msg/8ed835a97cdd1afd?dmode=source\u0026output=gplain"
},
{
"name": "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/",
"refsource": "CONFIRM",
"tags": [],
"url": "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/"
},
{
"name": "RHSA-2013:0698",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0698.html"
},
{
"name": "openSUSE-SU-2013:0661",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00072.html"
},
{
"name": "openSUSE-SU-2013:0662",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html"
},
{
"name": "APPLE-SA-2013-06-04-1",
"refsource": "APPLE",
"tags": [],
"url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"name": "http://support.apple.com/kb/HT5784",
"refsource": "CONFIRM",
"tags": [],
"url": "http://support.apple.com/kb/HT5784"
},
{
"name": "APPLE-SA-2013-10-22-5",
"refsource": "APPLE",
"tags": [],
"url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html"
},
{
"name": "openSUSE-SU-2014:0019",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html"
},
{
"name": "RHSA-2014:1863",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2023-02-13T00:28Z",
"publishedDate": "2013-03-19T22:55Z"
}
}
}
FKIE_CVE-2013-1855
Vulnerability from fkie_nvd - Published: 2013-03-19 22:55 - Updated: 2025-04-11 00:51
Severity ?
Summary
The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6F0016A6-0ED6-443D-B969-CB1226D8E28C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "E69470EA-5EBC-4FB9-A722-5B61C70C1140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B13A8EBB-4211-4AB1-8872-244EEEE20ABD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C9AB2152-DED8-4CFD-B915-94A9F56FDD05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "C630AB60-DBAF-421E-B663-492BAE8A180F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "0F41CCF8-14EB-4327-A675-83BFDBB53196",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "49B9DD7F-DA3A-49C5-B2D4-8A8BD73C6FA5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EB938651-C874-4427-AF9B-E9564B258633",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1D59FAFB-5D48-4BD8-AD51-FF9A204E373D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FE23CCE1-1713-4813-A0AB-1E10DBDA4D12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "897109FF-2C37-458A-91A9-7407F3DFBC99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "289B1633-AAF7-48BE-9A71-0577428EE531",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B947FD6D-CD0B-44EE-95B5-E513AF244905",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3666B82-1880-4A43-900F-3656F3FB157A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BE622F6D-AC7D-4D82-A33C-82C2CEFDB9B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C06D18BA-A0AB-461B-B498-2F1759CBF37D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:*",
"matchCriteriaId": "61EBE7E0-C474-43A7-85E3-093C754A253F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D7195418-A2E9-43E6-B29F-AEACC317E69E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "39485B13-3C71-4EC6-97CF-6C796650C5B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E2E16D8B-4FBD-4FB6-ABA8-B38ECA4D413F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D8A3B30A-65F0-4D63-9A09-B23E9FC8D550",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:*",
"matchCriteriaId": "62323F62-AD04-4F43-A566-718DDB4149CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A8E890B1-4237-4470-939A-4FC489E04520",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "24F3B933-0F68-4F88-999C-0BE48BC88CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9E13DAEA-F118-4CB2-88A5-54E3327B6B9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BC33BF68-D887-4C67-8E8C-D2A6CD877FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7BFCB88D-D946-4510-8DDC-67C32A606589",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E793287E-2BDA-4012-86F5-886B82510431",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DF706143-996C-4120-B620-3EDC977568DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "43E7F32B-C760-4862-B6DB-C38FB2A9182F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "FD68A034-73A2-4B1A-95DB-19AD3131F775",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2E78C912-E8FF-495F-B922-43C54D1E2180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "15B72C17-82C3-4930-9227-226C8E64C2E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FA59F311-B2B4-40EE-A878-64EF9F41581B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "035B47E9-A395-47D2-9164-A2A2CF878326",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BDA55D29-C830-45EF-A3B3-BFA9EED88F38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0A9356A6-D32A-487C-B743-1DA0D6C42FA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "2B3C7616-8631-49AC-979C-4347067059AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.9.5:*:*:*:*:*:*:*",
"matchCriteriaId": "EC487B78-AAEA-4F0E-8C8B-F415013A381E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "50EEAFDA-7782-4E1E-9058-205AD4BE9A01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CAC748BB-BFC5-44F7-B633-CEEBB1279889",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "38CF2C31-70BB-41D3-9462-0A8B9869A5F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F8584B37-7950-4C89-83D2-04E1ACDC60BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EF12EA5D-5EB5-46A8-AC60-65B327D610AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "87B4B121-94BD-4E0F-8860-6239890043B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "63CF211C-683E-4F7D-8C62-05B153AC1960",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "456A2F7E-CC66-48C4-B028-353D2976837A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F9806A84-2160-40EA-9960-AE7756CE4E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "07EC67D4-3D0F-4FF9-8197-71175DCB2723",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5CEB24FC-F068-4EBD-BDC8-AB5BC56130DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6E2DF384-3992-43BF-8A5C-65FA53E9A77C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D1467583-23E9-4E2B-982D-80A356174BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC784C0-5618-4C32-8C17-BE7041656E14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3B38EAA4-E948-45A7-B6E5-7214F2B545E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*",
"matchCriteriaId": "6ECC8C49-5A46-4D23-81F9-8243F5D508DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*",
"matchCriteriaId": "312848C5-BA35-4A48-B66D-195A5E1CD00F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.13:*:*:*:*:*:*:*",
"matchCriteriaId": "B7453BE5-91C8-42B2-9F75-FFE4038F29A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A2FD44EB-E899-4FA8-985E-44B75134DDC6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.15:*:*:*:*:*:*:*",
"matchCriteriaId": "5E13E309-2411-4E1D-B27F-BF5DDDD5D5C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.16:*:*:*:*:*:*:*",
"matchCriteriaId": "4E1C795F-CCAC-47AC-B809-BD5510310011",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C230384C-A52A-4167-A07D-0E06138EE246",
"versionEndIncluding": "2.3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "04FDC63D-6ED7-48AE-9D72-6419F54D4B84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "DBF12B2F-39D9-48D5-9620-DF378D199295",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "22E1EAAF-7B49-498B-BFEB-357173824F4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "1B9AD626-0AFA-4873-A701-C7716193A69C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BF69F60A-E8D3-4A4D-BBB5-DE42A1402262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "986D2B30-FF07-498B-A5E0-A77BAB402619",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A0E3141A-162C-4674-BD7B-E1539BAA0B7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "86E73F12-0551-42D2-ACC3-223C98B69C7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:*",
"matchCriteriaId": "D6BA0659-2287-4E95-B30D-2441CD96DA90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B01A4699-32D3-459E-B731-4240C8157F71",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "58304E17-ADFD-4686-9CCF-C1CA31843B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "0C448F62-8231-4221-ADA0-C9B848AE03D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "60255706-C44A-48CB-B98B-A1F0991CBC74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0456E2E8-EF06-414E-8A7D-8005F0EB46B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "D9EE4763-2495-4B6A-B72F-344967E51C27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "496902D6-409A-40D9-849F-C41264BE5B04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "2482AB3F-8303-4F95-BE04-C5F06EEF2015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "244C6952-377C-4AF0-8BA2-C34516A3EB5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "98A79CC5-71EC-4E90-9E99-2DF62ABC0122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "6562F3C3-D794-4107-95D4-1C0B0486940B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.1.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D8F0635C-4EBF-4EA3-9756-A85A3BB5026B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \\n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences."
},
{
"lang": "es",
"value": "El m\u00e9todo sanitize_css en lib/action_controller/vendor/html-scanner/html/sanitizer.rb en el componente Action Pack en Ruby on Rails anterior a v2.3.18, v3.0.x y v3.1.x anterior a v3.1.12, y v3.2.x anterior a v3.2.13, no menaja adecuadamente los caracteres \\n (nueva l\u00ednea), lo que facilita a atacantes remotos llevar a cabo ataques XSS a trav\u00e9s de secuencias CSS."
}
],
"id": "CVE-2013-1855",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-03-19T22:55:01.027",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00072.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0698.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"source": "secalert@redhat.com",
"url": "http://support.apple.com/kb/HT5784"
},
{
"source": "secalert@redhat.com",
"url": "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/group/rubyonrails-security/msg/8ed835a97cdd1afd?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00072.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0698.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.apple.com/kb/HT5784"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/group/rubyonrails-security/msg/8ed835a97cdd1afd?dmode=source\u0026output=gplain"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…