ADVISORIES
- CVE-2013-6416 (NVD)
- GHSA-w37c-q653-qg95
- OSVDB-100526
- Vendor Advisory
GEM
FRAMEWORK
SEVERITY
CVSS v2.0: 4.3 (Medium)
UNAFFECTED VERSIONS
- ~> 2.3.0
- ~> 3.1.0
- ~> 3.2.0
PATCHED VERSIONS
- >= 4.0.2
DESCRIPTION
There is a vulnerability in the simple_format helper in Ruby on Rails. The simple_format helper converts user supplied text into html text which is intended to be safe for display. A change made to the implementation of this helper means that any user provided HTML attributes will not be escaped correctly. As a result of this error, applications which pass user-controlled data to be included as html attributes will be vulnerable to an XSS attack.