CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-3741 – rubygem-rails-html-sanitizer: non-whitelisted attributes are present in sanitized output when input with specially-crafted HTML fragments leading to XSS vulnerability
https://notcve.org/view.php?id=CVE-2018-3741
There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately. Es posible que haya una vulnerabilidad Cross-Site Scripting (XSS) en todas las versiones inferiores a la 1.0.4 de la gema rails-html-sanitizer para Ruby. • https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae https://access.redhat.com/security/cve/CVE-2018-3741 https://bugzilla.redhat.com/show_bug.cgi?id=1568842 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 29EXPL: 0CVE-2015-7578
https://notcve.org/view.php?id=CVE-2015-7578
Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes. Vulnerabilidad de XSS en la gema rails-html-sanitizer en versiones anteriores a 1.0.3 para Ruby on Rails 4.2.x y 5.x permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de atributos de etiqueta manipulados. • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html http://www.openwall.com/lists/oss-security/2016/01/25/11 http://www.securitytracker.com/id/1034816 https://git • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 29EXPL: 0CVE-2015-7580
https://notcve.org/view.php?id=CVE-2015-7580
Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node. Vulnerabilidad de XSS en lib/rails/html/scrubbers.rb en la gema rails-html-sanitizer en versiones anteriores a 1.0.3 para Ruby on Rails 4.2.x y 5.x permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un nodo CDATA manipulado. • http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html http://www.openwall.com/lists/oss-security/2016/01/25/15 http://www.securitytracker.com/id/1034816 https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78 https://groups.google.com/forum/message/raw?msg=rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 29EXPL: 0CVE-2015-7579
https://notcve.org/view.php?id=CVE-2015-7579
Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class. Vulnerabilidad de XSS in la gema rails-html-sanitizer 1.0.2 para Ruby on Rails 4.2.x y 5.x permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de una entidad HTML que no es manejada adecuadamente por la clase Rails::Html::FullSanitizer. • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html http://www.openwall.com/lists/oss-security/2016/01/25/12 http://www.securitytracker.com/id/1034816 https://git • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •