GHSA-vpqv-mqvc-pcx2

Source

https://github.com/advisories/GHSA-vpqv-mqvc-pcx2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-vpqv-mqvc-pcx2/GHSA-vpqv-mqvc-pcx2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vpqv-mqvc-pcx2

Aliases

CVE-2014-4920

Published

2023-03-16T18:35:11Z

Modified

2024-11-30T05:34:35.938132Z

Summary

Reflective Cross-site Scripting Vulnerability in twitter-bootstrap-rails

Details

The twitter-bootstrap-rails Gem for Rails contains a flaw that enables a reflected cross-site scripting (XSS) attack. This flaw exists because the bootstrap_flash helper method does not validate input when handling flash messages before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-16T18:35:11Z"
}

References

Affected packages

RubyGems / twitter-bootstrap-rails

Package

Name: twitter-bootstrap-rails
Purl: pkg:gem/twitter-bootstrap-rails

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.2.0

Affected versions

0.*

0.0.3

0.0.4

0.0.5

1.*

1.3.0

1.3.1

1.4.0

1.4.1

1.4.2

1.4.3

2.*

2.0rc0

2.0

2.0.0

2.0.1

2.0.1.0

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9

2.2.0

2.2.1

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8