GHSA-6h5q-96hp-9jgm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6h5q-96hp-9jgm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-6h5q-96hp-9jgm/GHSA-6h5q-96hp-9jgm.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-6h5q-96hp-9jgm
- Aliases
-
- CVE-2013-6415
- Published
- 2017-10-24T18:33:36Z
- Modified
- 2024-11-29T05:42:36.454703Z
- Summary
- actionpack vulnerable to Cross-site Scripting
- Details
-
Cross-site scripting (XSS) vulnerability in the
number_to_currencyhelper inactionpack/lib/action_view/helpers/number_helper.rbin Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter. - Database specific
{ "github_reviewed": true, "cwe_ids": [ "CWE-79" ], "github_reviewed_at": "2020-06-16T21:19:20Z", "nvd_published_at": "2013-12-07T00:55:03Z", "severity": "MODERATE" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2013-6415
- https://github.com/advisories/GHSA-6h5q-96hp-9jgm
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2013-6415.yml
- https://groups.google.com/forum/#!topic/ruby-security-ann/9WiRn2nhfq0
- https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ
- https://puppet.com/security/cve/cve-2013-6415
- https://web.archive.org/web/20131206180005/http://www.securityfocus.com/bid/64077
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00080.html
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html
- http://rhn.redhat.com/errata/RHSA-2013-1794.html
- http://rhn.redhat.com/errata/RHSA-2014-0008.html
- http://rhn.redhat.com/errata/RHSA-2014-1863.html
- http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released
- http://www.debian.org/security/2014/dsa-2888
Affected packages
RubyGems / actionpack
Package
- Name
- actionpack
- Purl
- pkg:gem/actionpack
Affected versions
3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4.rc1
3.0.4
3.0.5.rc1
3.0.5
3.0.6.rc1
3.0.6.rc2
3.0.6
3.0.7.rc1
3.0.7.rc2
3.0.7
3.0.8.rc1
3.0.8.rc2
3.0.8.rc4
3.0.8
3.0.9.rc1
3.0.9.rc3
3.0.9.rc4
3.0.9.rc5
3.0.9
3.0.10.rc1
3.0.10
3.0.11
3.0.12.rc1
3.0.12
3.0.13.rc1
3.0.13
3.0.14
3.0.15
3.0.16
3.0.17
3.0.18
3.0.19
3.0.20
3.1.0.beta1
3.1.0.rc1
3.1.0.rc2
3.1.0.rc3
3.1.0.rc4
3.1.0.rc5
3.1.0.rc6
3.1.0.rc8
3.1.0
3.1.1.rc1
3.1.1.rc2
3.1.1.rc3
3.1.1
3.1.2.rc1
3.1.2.rc2
3.1.2
3.1.3
3.1.4.rc1
3.1.4
3.1.5.rc1
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.2.0.rc1
3.2.0.rc2
3.2.0
3.2.1
3.2.2.rc1
3.2.2
3.2.3.rc1
3.2.3.rc2
3.2.3
3.2.4.rc1
3.2.4
3.2.5
3.2.6
3.2.7.rc1
3.2.7
3.2.8.rc1
3.2.8.rc2
3.2.8
3.2.9.rc1
3.2.9.rc2
3.2.9.rc3
3.2.9
3.2.10
3.2.11
3.2.12
3.2.13.rc1
3.2.13.rc2
3.2.13
3.2.14.rc1
3.2.14.rc2
3.2.14
3.2.15.rc1
3.2.15.rc2
3.2.15.rc3
3.2.15
RubyGems / actionpack
Package
- Name
- actionpack
- Purl
- pkg:gem/actionpack