ADVISORIES
- CVE-2013-6415 (NVD)
- GHSA-6h5q-96hp-9jgm
- OSVDB-100524
- Vendor Advisory
GEM
FRAMEWORK
SEVERITY
CVSS v2.0: 4.3 (Medium)
PATCHED VERSIONS
- ~> 3.2.16
- >= 4.0.2
DESCRIPTION
There is an XSS vulnerability in the number_to_currency helper in Ruby on Raile. The number_to_currency helper allows users to nicely format a numeric value. One of the parameters to the helper (unit) is not escaped correctly. Applications which pass user controlled data as the unit parameter are vulnerable to an XSS attack.