CVE-2015-7579

MEDIUM

rails-html-sanitizer < 1.0.2 - Cross-Site Scripting via HTML Entity Mishandling

Title source: llm
STIX 2.1

Description

Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class.

References (9)

Core 9
Core References
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/01/25/12
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1034816

Scores

CVSS v3 6.1
EPSS 0.0017
EPSS Percentile 37.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (2)
rubygems/rails-html-sanitizer 0 - 1.0.3RubyGems
rubyonrails/html_sanitizer < 1.0.2
Published Feb 16, 2016
Tracked Since Feb 18, 2026