RubySec

Providing security resources for the Ruby community

CVE-2013-6415 (actionpack): XSS Vulnerability in number_to_currency

ADVISORIES

GEM

actionpack

FRAMEWORK

rails

SEVERITY

CVSS v2: 4.3 (Medium)

PATCHED VERSIONS

  • ~> 3.2.16
  • >= 4.0.2

DESCRIPTION

There is an XSS vulnerability in the number_to_currency helper in Ruby on Raile. The number_to_currency helper allows users to nicely format a numeric value. One of the parameters to the helper (unit) is not escaped correctly. Applications which pass user controlled data as the unit parameter are vulnerable to an XSS attack.