CVE-2016-6316
rails Moderate
Cross-Site Scripting
Discovered 12 months ago
Published about 5 years ago
Category: Cross-Site Scripting
Source: NIST NVD
Severity: Moderate

There is a possible XSS vulnerability in Action View. Text declared as “HTML safe” will not have quotes escaped when used as attribute values in tag helpers.

Impact

Text declared as “HTML safe” when passed as an attribute value to a tag helper will not have quotes escaped which can lead to an XSS attack. Impacted code looks something like this:

content_tag(:div, "hi", title: user_input.html_safe)

Some helpers like the sanitize helper will automatically mark strings as “HTML safe”, so impacted code could also look something like this:

content_tag(:div, "hi", title: sanitize(user_input))

All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds

You can work around this issue by either not marking arbitrary user input as safe, or by manually escaping quotes like this:

def escape_quotes(value)
  value.gsub(/"/, '"'.freeze)
end

content_tag(:div, "hi", title: escape_quotes(sanitize(user_input)))
CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None None Partial None
Patched Versions

~> 4.2.7.1 ~> 4.2.8 >= 5.0.0.1

Unaffected Versions

< 3.0.0

CVE-2016-7103
jquery-ui-rails Moderate
Cross-Site Scripting
Discovered 12 months ago
Published about 5 years ago
Category: Cross-Site Scripting
Source: GitHub
Severity: Moderate

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 6.0.0

Unaffected Versions

n/a

References

n/a