Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handlers.

The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2016:1857 advisory.

    Ruby on Rails is a model-view-controller (MVC) framework for web application development. Action Pack     implements the controller and the view components.

    Security Fix(es):

    * It was discovered that Action View tag helpers did not escape quotes when using strings declared as HTML     safe as attribute values. A remote attacker could use this flaw to conduct a cross-site scripting (XSS)     attack. (CVE-2016-6316)

    Red Hat would like to thank the Ruby on Rails project for reporting this issue. Upstream acknowledges     Andrew Carpenter (Critical Juncture) as the original reporter.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2016:1858 advisory.

    Ruby on Rails is a model-view-controller (MVC) framework for web application development. Action Pack     implements the controller and the view components.

    Security Fix(es):

    * It was discovered that Action View tag helpers did not escape quotes when using strings declared as HTML     safe as attribute values. A remote attacker could use this flaw to conduct a cross-site scripting (XSS)     attack. (CVE-2016-6316)

    Red Hat would like to thank the Ruby on Rails project for reporting this issue. Upstream acknowledges     Andrew Carpenter (Critical Juncture) as the original reporter.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Update to Rails 5.0.0.1.

Enable whole test suite in Railties.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Ruby Security team reports :

There is a possible XSS vulnerability in Action View. Text declared as 'HTML safe' will not have quotes escaped when used as attribute values in tag helpers. This vulnerability has been assigned the CVE identifier CVE-2016-6316.

- Fix for CVE-2016-6316 (rhbz#1366480)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities have been discovered in ruby-actionpack-3.2, a web-flow and rendering framework and part of Rails :

CVE-2015-7576

A flaw was found in the way the Action Controller component compared user names and passwords when performing HTTP basic authentication.
Time taken to compare strings could differ depending on input, possibly allowing a remote attacker to determine valid user names and passwords using a timing attack.

CVE-2016-0751

A flaw was found in the way the Action Pack component performed MIME type lookups. Since queries were cached in a global cache of MIME types, an attacker could use this flaw to grow the cache indefinitely, potentially resulting in a denial of service.

CVE-2016-0752

A directory traversal flaw was found in the way the Action View component searched for templates for rendering. If an application passed untrusted input to the 'render' method, a remote, unauthenticated attacker could use this flaw to render unexpected files and, possibly, execute arbitrary code.

CVE-2016-2097

Crafted requests to Action View might result in rendering files from arbitrary locations, including files beyond the application's view directory. This vulnerability is the result of an incomplete fix of CVE-2016-0752. This bug was found by Jyoti Singh and Tobias Kraze from Makandra.

CVE-2016-2098

If a web applications does not properly sanitize user inputs, an attacker might control the arguments of the render method in a controller or a view, resulting in the possibility of executing arbitrary ruby code. This bug was found by Tobias Kraze from Makandra and joernchen of Phenoelit.

CVE-2016-6316

Andrew Carpenter of Critical Juncture discovered a cross-site scripting vulnerability affecting Action View. Text declared as 'HTML safe' will not have quotes escaped when used as attribute values in tag helpers.

For Debian 7 'Wheezy', these problems have been fixed in version 3.2.6-6+deb7u3.

We recommend that you upgrade your ruby-actionpack-3.2 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Andrew Carpenter of Critical Juncture discovered a cross-site scripting vulnerability affecting Action View in rails, a web application framework written in Ruby. Text declared as 'HTML safe' will not have quotes escaped when used as attribute values in tag helpers.

ID	Name	Product	Family	Severity
210207	RHEL 6 / 7 : ror40-rubygem-actionpack (RHSA-2016:1857)	Nessus	Red Hat Local Security Checks	medium
210187	RHEL 6 / 7 : ruby193-rubygem-actionpack (RHSA-2016:1858)	Nessus	Red Hat Local Security Checks	medium
94808	Fedora 25 : 1:rubygem-actionmailer / 1:rubygem-actionpack / etc (2016-5760339e76)	Nessus	Fedora Local Security Checks	high
94081	FreeBSD : Rails 4 -- Possible XSS Vulnerability in Action View (43f1c867-654a-11e6-8286-00248c0c745d)	Nessus	FreeBSD Local Security Checks	medium
93143	Fedora 23 : rubygem-actionview (2016-ab8bf51cf3)	Nessus	Fedora Local Security Checks	medium
93137	Fedora 24 : rubygem-actionview (2016-0d9890f7b5)	Nessus	Fedora Local Security Checks	medium
93132	Debian DLA-604-1 : ruby-actionpack-3.2 security update	Nessus	Debian Local Security Checks	high
93114	Debian DSA-3651-1 : rails - security update	Nessus	Debian Local Security Checks	medium

Detections

Analytics

CVE-2016-6316

medium

Tenable Plugins

medium

medium

high

medium

medium

medium

high

medium