Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
6 vulnerabilities found for actionview by rails
CVE-2026-33168 (GCVE-0-2026-33168)
Vulnerability from nvd – Published: 2026-03-23 23:01 – Updated: 2026-03-24 13:36
VLAI?
Title
Rails has a possible XSS vulnerability in its Action View tag helpers
Summary
Action View provides conventions and helpers for building web pages with the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| rails | actionview |
Affected:
>= 8.1.0.beta1, < 8.1.2.1
Affected: >= 8.0.0.beta1, < 8.0.4.1 Affected: < 7.2.3.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33168",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T13:36:28.555604Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T13:36:44.829Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "actionview",
"vendor": "rails",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.1.0.beta1, \u003c 8.1.2.1"
},
{
"status": "affected",
"version": "\u003e= 8.0.0.beta1, \u003c 8.0.4.1"
},
{
"status": "affected",
"version": "\u003c 7.2.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Action View provides conventions and helpers for building web pages with the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T23:19:11.173Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cq"
},
{
"name": "https://github.com/rails/rails/commit/0b6f8002b52b9c606fd6be9e7915d9f944cf539c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rails/rails/commit/0b6f8002b52b9c606fd6be9e7915d9f944cf539c"
},
{
"name": "https://github.com/rails/rails/commit/63f5ad83edaa0b976f82d46988d745426aa4a42d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rails/rails/commit/63f5ad83edaa0b976f82d46988d745426aa4a42d"
},
{
"name": "https://github.com/rails/rails/commit/c79a07df1e88738df8f68cb0ee759ad6128ca924",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rails/rails/commit/c79a07df1e88738df8f68cb0ee759ad6128ca924"
},
{
"name": "https://github.com/rails/rails/releases/tag/v7.2.3.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rails/rails/releases/tag/v7.2.3.1"
},
{
"name": "https://github.com/rails/rails/releases/tag/v8.0.4.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rails/rails/releases/tag/v8.0.4.1"
},
{
"name": "https://github.com/rails/rails/releases/tag/v8.1.2.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rails/rails/releases/tag/v8.1.2.1"
}
],
"source": {
"advisory": "GHSA-v55j-83pf-r9cq",
"discovery": "UNKNOWN"
},
"title": "Rails has a possible XSS vulnerability in its Action View tag helpers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33168",
"datePublished": "2026-03-23T23:01:22.019Z",
"dateReserved": "2026-03-17T21:17:08.888Z",
"dateUpdated": "2026-03-24T13:36:44.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-15169 (GCVE-0-2020-15169)
Vulnerability from nvd – Published: 2020-09-11 15:50 – Updated: 2024-08-04 13:08
VLAI?
Title
XSS in Action View
Summary
In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| rails | actionview |
Affected:
< 5.2.4.4
Affected: >= 6.0.0.0, < 6.0.3.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.436Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rails/rails/security/advisories/GHSA-cfjv-5498-mph5"
},
{
"name": "DSA-4766",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4766"
},
{
"name": "FEDORA-2020-4dd34860a3",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/"
},
{
"name": "[debian-lts-announce] 20201009 [SECURITY] [DLA 2403-1] rails security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00015.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "actionview",
"vendor": "rails",
"versions": [
{
"status": "affected",
"version": "\u003c 5.2.4.4"
},
{
"status": "affected",
"version": "\u003e= 6.0.0.0, \u003c 6.0.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View\u0027s translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-09T20:06:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rails/rails/security/advisories/GHSA-cfjv-5498-mph5"
},
{
"name": "DSA-4766",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4766"
},
{
"name": "FEDORA-2020-4dd34860a3",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/"
},
{
"name": "[debian-lts-announce] 20201009 [SECURITY] [DLA 2403-1] rails security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00015.html"
}
],
"source": {
"advisory": "GHSA-cfjv-5498-mph5",
"discovery": "UNKNOWN"
},
"title": "XSS in Action View",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15169",
"STATE": "PUBLIC",
"TITLE": "XSS in Action View"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "actionview",
"version": {
"version_data": [
{
"version_value": "\u003c 5.2.4.4"
},
{
"version_value": "\u003e= 6.0.0.0, \u003c 6.0.3.3"
}
]
}
}
]
},
"vendor_name": "rails"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View\u0027s translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rails/rails/security/advisories/GHSA-cfjv-5498-mph5",
"refsource": "CONFIRM",
"url": "https://github.com/rails/rails/security/advisories/GHSA-cfjv-5498-mph5"
},
{
"name": "DSA-4766",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4766"
},
{
"name": "FEDORA-2020-4dd34860a3",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/"
},
{
"name": "[debian-lts-announce] 20201009 [SECURITY] [DLA 2403-1] rails security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00015.html"
}
]
},
"source": {
"advisory": "GHSA-cfjv-5498-mph5",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15169",
"datePublished": "2020-09-11T15:50:12.000Z",
"dateReserved": "2020-06-25T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:08:22.436Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5267 (GCVE-0-2020-5267)
Vulnerability from nvd – Published: 2020-03-19 17:30 – Updated: 2024-08-04 08:22
VLAI?
Title
Possible XSS vulnerability in ActionView
Summary
In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible XSS vulnerability in ActionView's JavaScript literal escape helpers. Views that use the `j` or `escape_javascript` methods may be susceptible to XSS attacks. The issue is fixed in versions 6.0.2.2 and 5.2.4.2.
Severity ?
4 (Medium)
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| rails | actionview |
Affected:
< 5.2.4.2
Affected: >= 6.0.0, < 6.0.2.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.079Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rails/rails/security/advisories/GHSA-65cv-r6x7-79hv"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rails/rails/commit/033a738817abd6e446e1b320cb7d1a5c15224e9a"
},
{
"name": "[oss-security] 20200319 [CVE-2020-5267] Possible XSS vulnerability in ActionView",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2020/03/19/1"
},
{
"name": "[debian-lts-announce] 20200320 [SECURITY] [DLA 2149-1] rails security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00022.html"
},
{
"name": "openSUSE-SU-2020:0627",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00019.html"
},
{
"name": "FEDORA-2020-4dd34860a3",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "actionview",
"vendor": "rails",
"versions": [
{
"status": "affected",
"version": "\u003c 5.2.4.2"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.0.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible XSS vulnerability in ActionView\u0027s JavaScript literal escape helpers. Views that use the `j` or `escape_javascript` methods may be susceptible to XSS attacks. The issue is fixed in versions 6.0.2.2 and 5.2.4.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-05T01:06:18.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rails/rails/security/advisories/GHSA-65cv-r6x7-79hv"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rails/rails/commit/033a738817abd6e446e1b320cb7d1a5c15224e9a"
},
{
"name": "[oss-security] 20200319 [CVE-2020-5267] Possible XSS vulnerability in ActionView",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2020/03/19/1"
},
{
"name": "[debian-lts-announce] 20200320 [SECURITY] [DLA 2149-1] rails security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00022.html"
},
{
"name": "openSUSE-SU-2020:0627",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00019.html"
},
{
"name": "FEDORA-2020-4dd34860a3",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/"
}
],
"source": {
"advisory": "GHSA-65cv-r6x7-79hv",
"discovery": "UNKNOWN"
},
"title": "Possible XSS vulnerability in ActionView",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5267",
"STATE": "PUBLIC",
"TITLE": "Possible XSS vulnerability in ActionView"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "actionview",
"version": {
"version_data": [
{
"version_value": "\u003c 5.2.4.2"
},
{
"version_value": "\u003e= 6.0.0, \u003c 6.0.2.2"
}
]
}
}
]
},
"vendor_name": "rails"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible XSS vulnerability in ActionView\u0027s JavaScript literal escape helpers. Views that use the `j` or `escape_javascript` methods may be susceptible to XSS attacks. The issue is fixed in versions 6.0.2.2 and 5.2.4.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rails/rails/security/advisories/GHSA-65cv-r6x7-79hv",
"refsource": "CONFIRM",
"url": "https://github.com/rails/rails/security/advisories/GHSA-65cv-r6x7-79hv"
},
{
"name": "https://github.com/rails/rails/commit/033a738817abd6e446e1b320cb7d1a5c15224e9a",
"refsource": "MISC",
"url": "https://github.com/rails/rails/commit/033a738817abd6e446e1b320cb7d1a5c15224e9a"
},
{
"name": "[oss-security] 20200319 [CVE-2020-5267] Possible XSS vulnerability in ActionView",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2020/03/19/1"
},
{
"name": "[debian-lts-announce] 20200320 [SECURITY] [DLA 2149-1] rails security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00022.html"
},
{
"name": "openSUSE-SU-2020:0627",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00019.html"
},
{
"name": "FEDORA-2020-4dd34860a3",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/"
}
]
},
"source": {
"advisory": "GHSA-65cv-r6x7-79hv",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5267",
"datePublished": "2020-03-19T17:30:16.000Z",
"dateReserved": "2020-01-02T00:00:00.000Z",
"dateUpdated": "2024-08-04T08:22:09.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-33168 (GCVE-0-2026-33168)
Vulnerability from cvelistv5 – Published: 2026-03-23 23:01 – Updated: 2026-03-24 13:36
VLAI?
Title
Rails has a possible XSS vulnerability in its Action View tag helpers
Summary
Action View provides conventions and helpers for building web pages with the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| rails | actionview |
Affected:
>= 8.1.0.beta1, < 8.1.2.1
Affected: >= 8.0.0.beta1, < 8.0.4.1 Affected: < 7.2.3.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33168",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T13:36:28.555604Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T13:36:44.829Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "actionview",
"vendor": "rails",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.1.0.beta1, \u003c 8.1.2.1"
},
{
"status": "affected",
"version": "\u003e= 8.0.0.beta1, \u003c 8.0.4.1"
},
{
"status": "affected",
"version": "\u003c 7.2.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Action View provides conventions and helpers for building web pages with the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T23:19:11.173Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cq"
},
{
"name": "https://github.com/rails/rails/commit/0b6f8002b52b9c606fd6be9e7915d9f944cf539c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rails/rails/commit/0b6f8002b52b9c606fd6be9e7915d9f944cf539c"
},
{
"name": "https://github.com/rails/rails/commit/63f5ad83edaa0b976f82d46988d745426aa4a42d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rails/rails/commit/63f5ad83edaa0b976f82d46988d745426aa4a42d"
},
{
"name": "https://github.com/rails/rails/commit/c79a07df1e88738df8f68cb0ee759ad6128ca924",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rails/rails/commit/c79a07df1e88738df8f68cb0ee759ad6128ca924"
},
{
"name": "https://github.com/rails/rails/releases/tag/v7.2.3.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rails/rails/releases/tag/v7.2.3.1"
},
{
"name": "https://github.com/rails/rails/releases/tag/v8.0.4.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rails/rails/releases/tag/v8.0.4.1"
},
{
"name": "https://github.com/rails/rails/releases/tag/v8.1.2.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rails/rails/releases/tag/v8.1.2.1"
}
],
"source": {
"advisory": "GHSA-v55j-83pf-r9cq",
"discovery": "UNKNOWN"
},
"title": "Rails has a possible XSS vulnerability in its Action View tag helpers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33168",
"datePublished": "2026-03-23T23:01:22.019Z",
"dateReserved": "2026-03-17T21:17:08.888Z",
"dateUpdated": "2026-03-24T13:36:44.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-15169 (GCVE-0-2020-15169)
Vulnerability from cvelistv5 – Published: 2020-09-11 15:50 – Updated: 2024-08-04 13:08
VLAI?
Title
XSS in Action View
Summary
In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| rails | actionview |
Affected:
< 5.2.4.4
Affected: >= 6.0.0.0, < 6.0.3.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.436Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rails/rails/security/advisories/GHSA-cfjv-5498-mph5"
},
{
"name": "DSA-4766",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4766"
},
{
"name": "FEDORA-2020-4dd34860a3",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/"
},
{
"name": "[debian-lts-announce] 20201009 [SECURITY] [DLA 2403-1] rails security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00015.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "actionview",
"vendor": "rails",
"versions": [
{
"status": "affected",
"version": "\u003c 5.2.4.4"
},
{
"status": "affected",
"version": "\u003e= 6.0.0.0, \u003c 6.0.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View\u0027s translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-09T20:06:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rails/rails/security/advisories/GHSA-cfjv-5498-mph5"
},
{
"name": "DSA-4766",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4766"
},
{
"name": "FEDORA-2020-4dd34860a3",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/"
},
{
"name": "[debian-lts-announce] 20201009 [SECURITY] [DLA 2403-1] rails security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00015.html"
}
],
"source": {
"advisory": "GHSA-cfjv-5498-mph5",
"discovery": "UNKNOWN"
},
"title": "XSS in Action View",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15169",
"STATE": "PUBLIC",
"TITLE": "XSS in Action View"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "actionview",
"version": {
"version_data": [
{
"version_value": "\u003c 5.2.4.4"
},
{
"version_value": "\u003e= 6.0.0.0, \u003c 6.0.3.3"
}
]
}
}
]
},
"vendor_name": "rails"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View\u0027s translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rails/rails/security/advisories/GHSA-cfjv-5498-mph5",
"refsource": "CONFIRM",
"url": "https://github.com/rails/rails/security/advisories/GHSA-cfjv-5498-mph5"
},
{
"name": "DSA-4766",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4766"
},
{
"name": "FEDORA-2020-4dd34860a3",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/"
},
{
"name": "[debian-lts-announce] 20201009 [SECURITY] [DLA 2403-1] rails security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00015.html"
}
]
},
"source": {
"advisory": "GHSA-cfjv-5498-mph5",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15169",
"datePublished": "2020-09-11T15:50:12.000Z",
"dateReserved": "2020-06-25T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:08:22.436Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5267 (GCVE-0-2020-5267)
Vulnerability from cvelistv5 – Published: 2020-03-19 17:30 – Updated: 2024-08-04 08:22
VLAI?
Title
Possible XSS vulnerability in ActionView
Summary
In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible XSS vulnerability in ActionView's JavaScript literal escape helpers. Views that use the `j` or `escape_javascript` methods may be susceptible to XSS attacks. The issue is fixed in versions 6.0.2.2 and 5.2.4.2.
Severity ?
4 (Medium)
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| rails | actionview |
Affected:
< 5.2.4.2
Affected: >= 6.0.0, < 6.0.2.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.079Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rails/rails/security/advisories/GHSA-65cv-r6x7-79hv"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rails/rails/commit/033a738817abd6e446e1b320cb7d1a5c15224e9a"
},
{
"name": "[oss-security] 20200319 [CVE-2020-5267] Possible XSS vulnerability in ActionView",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2020/03/19/1"
},
{
"name": "[debian-lts-announce] 20200320 [SECURITY] [DLA 2149-1] rails security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00022.html"
},
{
"name": "openSUSE-SU-2020:0627",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00019.html"
},
{
"name": "FEDORA-2020-4dd34860a3",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "actionview",
"vendor": "rails",
"versions": [
{
"status": "affected",
"version": "\u003c 5.2.4.2"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.0.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible XSS vulnerability in ActionView\u0027s JavaScript literal escape helpers. Views that use the `j` or `escape_javascript` methods may be susceptible to XSS attacks. The issue is fixed in versions 6.0.2.2 and 5.2.4.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-05T01:06:18.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rails/rails/security/advisories/GHSA-65cv-r6x7-79hv"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rails/rails/commit/033a738817abd6e446e1b320cb7d1a5c15224e9a"
},
{
"name": "[oss-security] 20200319 [CVE-2020-5267] Possible XSS vulnerability in ActionView",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2020/03/19/1"
},
{
"name": "[debian-lts-announce] 20200320 [SECURITY] [DLA 2149-1] rails security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00022.html"
},
{
"name": "openSUSE-SU-2020:0627",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00019.html"
},
{
"name": "FEDORA-2020-4dd34860a3",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/"
}
],
"source": {
"advisory": "GHSA-65cv-r6x7-79hv",
"discovery": "UNKNOWN"
},
"title": "Possible XSS vulnerability in ActionView",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5267",
"STATE": "PUBLIC",
"TITLE": "Possible XSS vulnerability in ActionView"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "actionview",
"version": {
"version_data": [
{
"version_value": "\u003c 5.2.4.2"
},
{
"version_value": "\u003e= 6.0.0, \u003c 6.0.2.2"
}
]
}
}
]
},
"vendor_name": "rails"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible XSS vulnerability in ActionView\u0027s JavaScript literal escape helpers. Views that use the `j` or `escape_javascript` methods may be susceptible to XSS attacks. The issue is fixed in versions 6.0.2.2 and 5.2.4.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rails/rails/security/advisories/GHSA-65cv-r6x7-79hv",
"refsource": "CONFIRM",
"url": "https://github.com/rails/rails/security/advisories/GHSA-65cv-r6x7-79hv"
},
{
"name": "https://github.com/rails/rails/commit/033a738817abd6e446e1b320cb7d1a5c15224e9a",
"refsource": "MISC",
"url": "https://github.com/rails/rails/commit/033a738817abd6e446e1b320cb7d1a5c15224e9a"
},
{
"name": "[oss-security] 20200319 [CVE-2020-5267] Possible XSS vulnerability in ActionView",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2020/03/19/1"
},
{
"name": "[debian-lts-announce] 20200320 [SECURITY] [DLA 2149-1] rails security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00022.html"
},
{
"name": "openSUSE-SU-2020:0627",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00019.html"
},
{
"name": "FEDORA-2020-4dd34860a3",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/"
}
]
},
"source": {
"advisory": "GHSA-65cv-r6x7-79hv",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5267",
"datePublished": "2020-03-19T17:30:16.000Z",
"dateReserved": "2020-01-02T00:00:00.000Z",
"dateUpdated": "2024-08-04T08:22:09.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}