CVE-2020-15169
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2020-15169
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-15169.json
- Aliases
- Related
- Published
- 2020-09-11T16:15:12Z
- Modified
- 2023-11-29T07:34:12.852141Z
- Details
-
In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the
tandtranslatehelpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory. - References
-
- https://github.com/rails/rails/security/advisories/GHSA-cfjv-5498-mph5
- https://www.debian.org/security/2020/dsa-4766
- https://lists.debian.org/debian-lts-announce/2020/10/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/
Affected packages
Git / github.com/rails/rails
Affected versions
v0.*
v0.10.0
v0.10.1
v0.11.0
v0.11.1
v0.12.0
v0.13.0
v0.13.1
v0.14.1
v0.14.3
v0.9.1
v0.9.2
v0.9.3
v0.9.4
v0.9.4.1
v0.9.5
v1.*
v1.1.0
v1.1.0_RC1
v1.1.1
v2.*
v2.0.0
v2.0.0_PR
v2.0.0_RC1
v2.0.0_RC2
v2.0.1
v2.1.0
v2.1.0_RC1
v2.2.0
v2.2.1
v2.3.0
v2.3.1
v2.3.2
v2.3.2.1
v3.*
v3.0.0.beta.2
v3.0.0.beta.3
v3.0.0.beta1
v3.0.0.beta2
v3.0.0.beta3
v3.0.0.beta4
v3.0.0_RC
v3.1.0.beta1
v3.1.0.rc1
v3.2.0.rc1
v4.*
v4.0.0.beta1
v4.0.0.rc1
v4.1.0.beta1
v4.1.0.beta2
v4.2.0.beta1
v4.2.0.beta4
v5.*
v5.0.0.beta1
v5.0.0.beta1.1
v5.0.0.beta2
v5.0.0.beta3
v5.0.0.beta4
v5.0.0.rc1
v5.1.0.beta1
v5.2.0
v5.2.0.rc1
v5.2.0.rc2
v5.2.1
v5.2.1.1
v5.2.1.rc1
v5.2.2
v5.2.2.1
v5.2.2.rc1
v5.2.3
v5.2.3.rc1
v5.2.4
v5.2.4.1
v5.2.4.2
v5.2.4.3
v5.2.4.rc1