RubySec

Providing security resources for the Ruby community

CVE-2013-6416 (actionpack): XSS Vulnerability in simple_format helper

ADVISORIES

GEM

actionpack

FRAMEWORK

rails

SEVERITY

CVSS v2: 4.3

UNAFFECTED VERSIONS

  • ~> 2.3.0
  • ~> 3.1.0
  • ~> 3.2.0

PATCHED VERSIONS

  • >= 4.0.2

DESCRIPTION

There is a vulnerability in the simple_format helper in Ruby on Rails. The simple_format helper converts user supplied text into html text which is intended to be safe for display. A change made to the implementation of this helper means that any user provided HTML attributes will not be escaped correctly. As a result of this error, applications which pass user-controlled data to be included as html attributes will be vulnerable to an XSS attack.