Search

Find a vulnerability

Search criteria

    8 vulnerabilities found for html_sanitizer by rubyonrails

    CVE-2018-3741 (GCVE-0-2018-3741)

    Vulnerability from nvd – Published: 2018-03-30 19:00 – Updated: 2024-08-05 04:50
    VLAI
    Summary
    There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Rails rails-html-sanitizer Affected: <= 1.0.3
    Create a notification for this product.
    Date Public
    2018-03-30 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T04:50:30.644Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "rails-html-sanitizer",
              "vendor": "Rails",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c= 1.0.3"
                }
              ]
            }
          ],
          "datePublic": "2018-03-30T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-03-30T18:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-3741",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "rails-html-sanitizer",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c= 1.0.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Rails"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) (CWE-79)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-3741",
        "datePublished": "2018-03-30T19:00:00.000Z",
        "dateReserved": "2017-12-28T00:00:00.000Z",
        "dateUpdated": "2024-08-05T04:50:30.644Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2015-7580 (GCVE-0-2015-7580)

    Vulnerability from nvd – Published: 2016-02-16 02:00 – Updated: 2024-08-06 07:51
    VLAI
    Summary
    Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2016-01-25 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T07:51:28.598Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "[rubyonrails-security] 20160125 [CVE-2015-7580] Possible XSS vulnerability in rails-html-sanitizer",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ"
              },
              {
                "name": "SUSE-SU-2016:1146",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
              },
              {
                "name": "[oss-security] 20160125 [CVE-2015-7580] Possible XSS vulnerability in rails-html-sanitizer",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2016/01/25/15"
              },
              {
                "name": "1034816",
                "tags": [
                  "vdb-entry",
                  "x_refsource_SECTRACK",
                  "x_transferred"
                ],
                "url": "http://www.securitytracker.com/id/1034816"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78"
              },
              {
                "name": "SUSE-SU-2016:0391",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
              },
              {
                "name": "openSUSE-SU-2016:0356",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2016-01-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-09-09T09:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "[rubyonrails-security] 20160125 [CVE-2015-7580] Possible XSS vulnerability in rails-html-sanitizer",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ"
            },
            {
              "name": "SUSE-SU-2016:1146",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
            },
            {
              "name": "[oss-security] 20160125 [CVE-2015-7580] Possible XSS vulnerability in rails-html-sanitizer",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2016/01/25/15"
            },
            {
              "name": "1034816",
              "tags": [
                "vdb-entry",
                "x_refsource_SECTRACK"
              ],
              "url": "http://www.securitytracker.com/id/1034816"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78"
            },
            {
              "name": "SUSE-SU-2016:0391",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
            },
            {
              "name": "openSUSE-SU-2016:0356",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2015-7580",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "[rubyonrails-security] 20160125 [CVE-2015-7580] Possible XSS vulnerability in rails-html-sanitizer",
                  "refsource": "MLIST",
                  "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ"
                },
                {
                  "name": "SUSE-SU-2016:1146",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
                },
                {
                  "name": "[oss-security] 20160125 [CVE-2015-7580] Possible XSS vulnerability in rails-html-sanitizer",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2016/01/25/15"
                },
                {
                  "name": "1034816",
                  "refsource": "SECTRACK",
                  "url": "http://www.securitytracker.com/id/1034816"
                },
                {
                  "name": "https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78"
                },
                {
                  "name": "SUSE-SU-2016:0391",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
                },
                {
                  "name": "openSUSE-SU-2016:0356",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2015-7580",
        "datePublished": "2016-02-16T02:00:00.000Z",
        "dateReserved": "2015-09-29T00:00:00.000Z",
        "dateUpdated": "2024-08-06T07:51:28.598Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2015-7579 (GCVE-0-2015-7579)

    Vulnerability from nvd – Published: 2016-02-16 02:00 – Updated: 2024-08-06 07:51
    VLAI
    Summary
    Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2016-01-25 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T07:51:28.640Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f"
              },
              {
                "name": "[ruby-security-ann] 20160125 [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ"
              },
              {
                "name": "FEDORA-2016-3a2606f993",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
              },
              {
                "name": "SUSE-SU-2016:1146",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
              },
              {
                "name": "1034816",
                "tags": [
                  "vdb-entry",
                  "x_refsource_SECTRACK",
                  "x_transferred"
                ],
                "url": "http://www.securitytracker.com/id/1034816"
              },
              {
                "name": "[oss-security] 20160125 [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2016/01/25/12"
              },
              {
                "name": "FEDORA-2016-59ce8b61dd",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
              },
              {
                "name": "SUSE-SU-2016:0391",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
              },
              {
                "name": "openSUSE-SU-2016:0356",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2016-01-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-09-09T09:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f"
            },
            {
              "name": "[ruby-security-ann] 20160125 [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ"
            },
            {
              "name": "FEDORA-2016-3a2606f993",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
            },
            {
              "name": "SUSE-SU-2016:1146",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
            },
            {
              "name": "1034816",
              "tags": [
                "vdb-entry",
                "x_refsource_SECTRACK"
              ],
              "url": "http://www.securitytracker.com/id/1034816"
            },
            {
              "name": "[oss-security] 20160125 [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2016/01/25/12"
            },
            {
              "name": "FEDORA-2016-59ce8b61dd",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
            },
            {
              "name": "SUSE-SU-2016:0391",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
            },
            {
              "name": "openSUSE-SU-2016:0356",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2015-7579",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f"
                },
                {
                  "name": "[ruby-security-ann] 20160125 [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer",
                  "refsource": "MLIST",
                  "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ"
                },
                {
                  "name": "FEDORA-2016-3a2606f993",
                  "refsource": "FEDORA",
                  "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
                },
                {
                  "name": "SUSE-SU-2016:1146",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
                },
                {
                  "name": "1034816",
                  "refsource": "SECTRACK",
                  "url": "http://www.securitytracker.com/id/1034816"
                },
                {
                  "name": "[oss-security] 20160125 [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2016/01/25/12"
                },
                {
                  "name": "FEDORA-2016-59ce8b61dd",
                  "refsource": "FEDORA",
                  "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
                },
                {
                  "name": "SUSE-SU-2016:0391",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
                },
                {
                  "name": "openSUSE-SU-2016:0356",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2015-7579",
        "datePublished": "2016-02-16T02:00:00.000Z",
        "dateReserved": "2015-09-29T00:00:00.000Z",
        "dateUpdated": "2024-08-06T07:51:28.640Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2015-7578 (GCVE-0-2015-7578)

    Vulnerability from nvd – Published: 2016-02-16 02:00 – Updated: 2024-08-06 07:51
    VLAI
    Summary
    Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2016-01-25 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T07:51:28.491Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "FEDORA-2016-3a2606f993",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
              },
              {
                "name": "[oss-security] 20160125 [CVE-2015-7578] Possible XSS vulnerability in rails-html-sanitizer",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2016/01/25/11"
              },
              {
                "name": "SUSE-SU-2016:1146",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4"
              },
              {
                "name": "1034816",
                "tags": [
                  "vdb-entry",
                  "x_refsource_SECTRACK",
                  "x_transferred"
                ],
                "url": "http://www.securitytracker.com/id/1034816"
              },
              {
                "name": "[ruby-security-ann] 20160125 [CVE-2015-7578] Possible XSS vulnerability in rails-html-sanitizer",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/uh--W4TDwmI/ygHE7hlZEgAJ"
              },
              {
                "name": "FEDORA-2016-59ce8b61dd",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
              },
              {
                "name": "SUSE-SU-2016:0391",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
              },
              {
                "name": "openSUSE-SU-2016:0356",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2016-01-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-09-09T09:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "FEDORA-2016-3a2606f993",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
            },
            {
              "name": "[oss-security] 20160125 [CVE-2015-7578] Possible XSS vulnerability in rails-html-sanitizer",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2016/01/25/11"
            },
            {
              "name": "SUSE-SU-2016:1146",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4"
            },
            {
              "name": "1034816",
              "tags": [
                "vdb-entry",
                "x_refsource_SECTRACK"
              ],
              "url": "http://www.securitytracker.com/id/1034816"
            },
            {
              "name": "[ruby-security-ann] 20160125 [CVE-2015-7578] Possible XSS vulnerability in rails-html-sanitizer",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/uh--W4TDwmI/ygHE7hlZEgAJ"
            },
            {
              "name": "FEDORA-2016-59ce8b61dd",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
            },
            {
              "name": "SUSE-SU-2016:0391",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
            },
            {
              "name": "openSUSE-SU-2016:0356",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2015-7578",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "FEDORA-2016-3a2606f993",
                  "refsource": "FEDORA",
                  "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
                },
                {
                  "name": "[oss-security] 20160125 [CVE-2015-7578] Possible XSS vulnerability in rails-html-sanitizer",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2016/01/25/11"
                },
                {
                  "name": "SUSE-SU-2016:1146",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
                },
                {
                  "name": "https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4"
                },
                {
                  "name": "1034816",
                  "refsource": "SECTRACK",
                  "url": "http://www.securitytracker.com/id/1034816"
                },
                {
                  "name": "[ruby-security-ann] 20160125 [CVE-2015-7578] Possible XSS vulnerability in rails-html-sanitizer",
                  "refsource": "MLIST",
                  "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/uh--W4TDwmI/ygHE7hlZEgAJ"
                },
                {
                  "name": "FEDORA-2016-59ce8b61dd",
                  "refsource": "FEDORA",
                  "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
                },
                {
                  "name": "SUSE-SU-2016:0391",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
                },
                {
                  "name": "openSUSE-SU-2016:0356",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2015-7578",
        "datePublished": "2016-02-16T02:00:00.000Z",
        "dateReserved": "2015-09-29T00:00:00.000Z",
        "dateUpdated": "2024-08-06T07:51:28.491Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-3741 (GCVE-0-2018-3741)

    Vulnerability from cvelistv5 – Published: 2018-03-30 19:00 – Updated: 2024-08-05 04:50
    VLAI
    Summary
    There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Rails rails-html-sanitizer Affected: <= 1.0.3
    Create a notification for this product.
    Date Public
    2018-03-30 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T04:50:30.644Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "rails-html-sanitizer",
              "vendor": "Rails",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c= 1.0.3"
                }
              ]
            }
          ],
          "datePublic": "2018-03-30T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-03-30T18:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-3741",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "rails-html-sanitizer",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c= 1.0.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Rails"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) (CWE-79)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-3741",
        "datePublished": "2018-03-30T19:00:00.000Z",
        "dateReserved": "2017-12-28T00:00:00.000Z",
        "dateUpdated": "2024-08-05T04:50:30.644Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2015-7579 (GCVE-0-2015-7579)

    Vulnerability from cvelistv5 – Published: 2016-02-16 02:00 – Updated: 2024-08-06 07:51
    VLAI
    Summary
    Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2016-01-25 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T07:51:28.640Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f"
              },
              {
                "name": "[ruby-security-ann] 20160125 [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ"
              },
              {
                "name": "FEDORA-2016-3a2606f993",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
              },
              {
                "name": "SUSE-SU-2016:1146",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
              },
              {
                "name": "1034816",
                "tags": [
                  "vdb-entry",
                  "x_refsource_SECTRACK",
                  "x_transferred"
                ],
                "url": "http://www.securitytracker.com/id/1034816"
              },
              {
                "name": "[oss-security] 20160125 [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2016/01/25/12"
              },
              {
                "name": "FEDORA-2016-59ce8b61dd",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
              },
              {
                "name": "SUSE-SU-2016:0391",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
              },
              {
                "name": "openSUSE-SU-2016:0356",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2016-01-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-09-09T09:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f"
            },
            {
              "name": "[ruby-security-ann] 20160125 [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ"
            },
            {
              "name": "FEDORA-2016-3a2606f993",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
            },
            {
              "name": "SUSE-SU-2016:1146",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
            },
            {
              "name": "1034816",
              "tags": [
                "vdb-entry",
                "x_refsource_SECTRACK"
              ],
              "url": "http://www.securitytracker.com/id/1034816"
            },
            {
              "name": "[oss-security] 20160125 [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2016/01/25/12"
            },
            {
              "name": "FEDORA-2016-59ce8b61dd",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
            },
            {
              "name": "SUSE-SU-2016:0391",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
            },
            {
              "name": "openSUSE-SU-2016:0356",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2015-7579",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f"
                },
                {
                  "name": "[ruby-security-ann] 20160125 [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer",
                  "refsource": "MLIST",
                  "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ"
                },
                {
                  "name": "FEDORA-2016-3a2606f993",
                  "refsource": "FEDORA",
                  "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
                },
                {
                  "name": "SUSE-SU-2016:1146",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
                },
                {
                  "name": "1034816",
                  "refsource": "SECTRACK",
                  "url": "http://www.securitytracker.com/id/1034816"
                },
                {
                  "name": "[oss-security] 20160125 [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2016/01/25/12"
                },
                {
                  "name": "FEDORA-2016-59ce8b61dd",
                  "refsource": "FEDORA",
                  "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
                },
                {
                  "name": "SUSE-SU-2016:0391",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
                },
                {
                  "name": "openSUSE-SU-2016:0356",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2015-7579",
        "datePublished": "2016-02-16T02:00:00.000Z",
        "dateReserved": "2015-09-29T00:00:00.000Z",
        "dateUpdated": "2024-08-06T07:51:28.640Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2015-7580 (GCVE-0-2015-7580)

    Vulnerability from cvelistv5 – Published: 2016-02-16 02:00 – Updated: 2024-08-06 07:51
    VLAI
    Summary
    Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2016-01-25 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T07:51:28.598Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "[rubyonrails-security] 20160125 [CVE-2015-7580] Possible XSS vulnerability in rails-html-sanitizer",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ"
              },
              {
                "name": "SUSE-SU-2016:1146",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
              },
              {
                "name": "[oss-security] 20160125 [CVE-2015-7580] Possible XSS vulnerability in rails-html-sanitizer",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2016/01/25/15"
              },
              {
                "name": "1034816",
                "tags": [
                  "vdb-entry",
                  "x_refsource_SECTRACK",
                  "x_transferred"
                ],
                "url": "http://www.securitytracker.com/id/1034816"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78"
              },
              {
                "name": "SUSE-SU-2016:0391",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
              },
              {
                "name": "openSUSE-SU-2016:0356",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2016-01-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-09-09T09:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "[rubyonrails-security] 20160125 [CVE-2015-7580] Possible XSS vulnerability in rails-html-sanitizer",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ"
            },
            {
              "name": "SUSE-SU-2016:1146",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
            },
            {
              "name": "[oss-security] 20160125 [CVE-2015-7580] Possible XSS vulnerability in rails-html-sanitizer",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2016/01/25/15"
            },
            {
              "name": "1034816",
              "tags": [
                "vdb-entry",
                "x_refsource_SECTRACK"
              ],
              "url": "http://www.securitytracker.com/id/1034816"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78"
            },
            {
              "name": "SUSE-SU-2016:0391",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
            },
            {
              "name": "openSUSE-SU-2016:0356",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2015-7580",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "[rubyonrails-security] 20160125 [CVE-2015-7580] Possible XSS vulnerability in rails-html-sanitizer",
                  "refsource": "MLIST",
                  "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ"
                },
                {
                  "name": "SUSE-SU-2016:1146",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
                },
                {
                  "name": "[oss-security] 20160125 [CVE-2015-7580] Possible XSS vulnerability in rails-html-sanitizer",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2016/01/25/15"
                },
                {
                  "name": "1034816",
                  "refsource": "SECTRACK",
                  "url": "http://www.securitytracker.com/id/1034816"
                },
                {
                  "name": "https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78"
                },
                {
                  "name": "SUSE-SU-2016:0391",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
                },
                {
                  "name": "openSUSE-SU-2016:0356",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2015-7580",
        "datePublished": "2016-02-16T02:00:00.000Z",
        "dateReserved": "2015-09-29T00:00:00.000Z",
        "dateUpdated": "2024-08-06T07:51:28.598Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2015-7578 (GCVE-0-2015-7578)

    Vulnerability from cvelistv5 – Published: 2016-02-16 02:00 – Updated: 2024-08-06 07:51
    VLAI
    Summary
    Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2016-01-25 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T07:51:28.491Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "FEDORA-2016-3a2606f993",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
              },
              {
                "name": "[oss-security] 20160125 [CVE-2015-7578] Possible XSS vulnerability in rails-html-sanitizer",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2016/01/25/11"
              },
              {
                "name": "SUSE-SU-2016:1146",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4"
              },
              {
                "name": "1034816",
                "tags": [
                  "vdb-entry",
                  "x_refsource_SECTRACK",
                  "x_transferred"
                ],
                "url": "http://www.securitytracker.com/id/1034816"
              },
              {
                "name": "[ruby-security-ann] 20160125 [CVE-2015-7578] Possible XSS vulnerability in rails-html-sanitizer",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/uh--W4TDwmI/ygHE7hlZEgAJ"
              },
              {
                "name": "FEDORA-2016-59ce8b61dd",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
              },
              {
                "name": "SUSE-SU-2016:0391",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
              },
              {
                "name": "openSUSE-SU-2016:0356",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2016-01-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-09-09T09:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "FEDORA-2016-3a2606f993",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
            },
            {
              "name": "[oss-security] 20160125 [CVE-2015-7578] Possible XSS vulnerability in rails-html-sanitizer",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2016/01/25/11"
            },
            {
              "name": "SUSE-SU-2016:1146",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4"
            },
            {
              "name": "1034816",
              "tags": [
                "vdb-entry",
                "x_refsource_SECTRACK"
              ],
              "url": "http://www.securitytracker.com/id/1034816"
            },
            {
              "name": "[ruby-security-ann] 20160125 [CVE-2015-7578] Possible XSS vulnerability in rails-html-sanitizer",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/uh--W4TDwmI/ygHE7hlZEgAJ"
            },
            {
              "name": "FEDORA-2016-59ce8b61dd",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
            },
            {
              "name": "SUSE-SU-2016:0391",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
            },
            {
              "name": "openSUSE-SU-2016:0356",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2015-7578",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "FEDORA-2016-3a2606f993",
                  "refsource": "FEDORA",
                  "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
                },
                {
                  "name": "[oss-security] 20160125 [CVE-2015-7578] Possible XSS vulnerability in rails-html-sanitizer",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2016/01/25/11"
                },
                {
                  "name": "SUSE-SU-2016:1146",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
                },
                {
                  "name": "https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4"
                },
                {
                  "name": "1034816",
                  "refsource": "SECTRACK",
                  "url": "http://www.securitytracker.com/id/1034816"
                },
                {
                  "name": "[ruby-security-ann] 20160125 [CVE-2015-7578] Possible XSS vulnerability in rails-html-sanitizer",
                  "refsource": "MLIST",
                  "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/uh--W4TDwmI/ygHE7hlZEgAJ"
                },
                {
                  "name": "FEDORA-2016-59ce8b61dd",
                  "refsource": "FEDORA",
                  "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
                },
                {
                  "name": "SUSE-SU-2016:0391",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
                },
                {
                  "name": "openSUSE-SU-2016:0356",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2015-7578",
        "datePublished": "2016-02-16T02:00:00.000Z",
        "dateReserved": "2015-09-29T00:00:00.000Z",
        "dateUpdated": "2024-08-06T07:51:28.491Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }