GHSA-vxvp-4xwc-jpp6

Source

https://github.com/advisories/GHSA-vxvp-4xwc-jpp6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-vxvp-4xwc-jpp6/GHSA-vxvp-4xwc-jpp6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vxvp-4xwc-jpp6

Aliases

CVE-2015-3226

Published

2017-10-24T18:33:36Z

Modified

2024-11-30T05:28:41.984741Z

Summary

activesupport Cross-site Scripting vulnerability

Details

Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.

Database specific

{
    "nvd_published_at": "2015-07-26T22:59:05Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:59:02Z"
}

References

Affected packages

RubyGems / activesupport

Package

Name: activesupport
Purl: pkg:gem/activesupport

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.2.22.5

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4.rc1

3.0.4

3.0.5.rc1

3.0.5

3.0.6.rc1

3.0.6.rc2

3.0.6

3.0.7.rc1

3.0.7.rc2

3.0.7

3.0.8.rc1

3.0.8.rc2

3.0.8.rc4

3.0.8

3.0.9.rc1

3.0.9.rc3

3.0.9.rc4

3.0.9.rc5

3.0.9

3.0.10.rc1

3.0.10

3.0.11

3.0.12.rc1

3.0.12

3.0.13.rc1

3.0.13

3.0.14

3.0.15

3.0.16

3.0.17

3.0.18

3.0.19

3.0.20

3.1.0.beta1

3.1.0.rc1

3.1.0.rc2

3.1.0.rc3

3.1.0.rc4

3.1.0.rc5

3.1.0.rc6

3.1.0.rc8

3.1.0

3.1.1.rc1

3.1.1.rc2

3.1.1.rc3

3.1.1

3.1.2.rc1

3.1.2.rc2

3.1.2

3.1.3

3.1.4.rc1

3.1.4

3.1.5.rc1

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.2.0.rc1

3.2.0.rc2

3.2.0

3.2.1

3.2.2.rc1

3.2.2

3.2.3.rc1

3.2.3.rc2

3.2.3

3.2.4.rc1

3.2.4

3.2.5

3.2.6

3.2.7.rc1

3.2.7

3.2.8.rc1

3.2.8.rc2

3.2.8

3.2.9.rc1

3.2.9.rc2

3.2.9.rc3

3.2.9

3.2.10

3.2.11

3.2.12

3.2.13.rc1

3.2.13.rc2

3.2.13

3.2.14.rc1

3.2.14.rc2

3.2.14

3.2.15.rc1

3.2.15.rc2

3.2.15.rc3

3.2.15

3.2.16

3.2.17

3.2.18

3.2.19

3.2.20

3.2.21

3.2.22

3.2.22.1

3.2.22.2

3.2.22.3

3.2.22.4

Database specific

{
    "last_known_affected_version_range": "<= 3.2.22.4"
}

RubyGems / activesupport

Package

Name: activesupport
Purl: pkg:gem/activesupport

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.1.0

Fixed

4.1.11

Affected versions

4.*

4.1.0

4.1.1

4.1.2.rc1

4.1.2.rc2

4.1.2.rc3

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6.rc1

4.1.6.rc2

4.1.6

4.1.7

4.1.7.1

4.1.8

4.1.9.rc1

4.1.9

4.1.10.rc1

4.1.10.rc2

4.1.10.rc3

4.1.10.rc4

4.1.10

RubyGems / activesupport

Package

Name: activesupport
Purl: pkg:gem/activesupport

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.2.0

Fixed

4.2.2

Affected versions

4.*

4.2.0

4.2.1.rc1

4.2.1.rc2

4.2.1.rc3

4.2.1.rc4

4.2.1