CVE-2013-1857

Redhat Enterprise Linux < 2.3.17 - XSS

Title source: rule

Description

The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon) characters in URLs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted scheme name, as demonstrated by including a &#x3a; sequence.

References (10)

Scores

EPSS 0.0063
EPSS Percentile 69.9%

Details

CWE
CWE-79
Status published
Products (50)
redhat/enterprise_linux
rubyonrails/rails
rubyonrails/rails
rubyonrails/rails
rubyonrails/rails
rubyonrails/rails
rubyonrails/rails
rubyonrails/rails
rubyonrails/rails
rubyonrails/rails
... and 40 more
Published Mar 19, 2013
Tracked Since Feb 18, 2026