CVE-2016-6316

medium

Description

Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handlers.

References

https://puppet.com/security/cve/cve-2016-6316

https://groups.google.com/forum/#%21topic/ruby-security-ann/8B2iV2tPRSE

http://www.securityfocus.com/bid/92430

http://www.openwall.com/lists/oss-security/2016/08/11/3

http://www.debian.org/security/2016/dsa-3651

http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/

http://rhn.redhat.com/errata/RHSA-2016-1858.html

http://rhn.redhat.com/errata/RHSA-2016-1857.html

http://rhn.redhat.com/errata/RHSA-2016-1856.html

http://rhn.redhat.com/errata/RHSA-2016-1855.html

Details

Source: Mitre, NVD

Published: 2016-09-07

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium