CVE-2013-6415
Ruby on Rails < 3.2.16 and 4.x < 4.0.2 - Cross-Site Scripting via number_to_currency Helper Unit Parameter
Title source: llmDescription
Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter.
References (15)
Core 15
Core References
Mailing List mailing-list
x_refsource_mlist
https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-0008.html
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-1863.html
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-1794.html
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html
Various Sources x_refsource_confirm
https://puppet.com/security/cve/cve-2013-6415
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-12/msg00080.html
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html
Patch, Vendor Advisory x_refsource_confirm
http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/64077
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/56093
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2014/dsa-2888
Scores
EPSS
0.0151
EPSS Percentile
81.4%
Details
CWE
CWE-79
Status
published
Products (22)
rubygems/actionpack
3.0.0 - 3.2.16RubyGems
rubyonrails/rails
3.0.0 (7 CPE variants)
rubyonrails/rails
3.0.1 (2 CPE variants)
rubyonrails/rails
3.0.2 (2 CPE variants)
rubyonrails/rails
3.0.3
rubyonrails/rails
3.0.4 rc1
rubyonrails/rails
3.0.5 (2 CPE variants)
rubyonrails/rails
3.0.6 (3 CPE variants)
rubyonrails/rails
3.0.7 (3 CPE variants)
rubyonrails/rails
3.0.8 (5 CPE variants)
... and 12 more
Published
Dec 07, 2013
Tracked Since
Feb 18, 2026