CVE-2013-1855
Description
The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences.
Risk Information
Base Score
8.6
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C
EPSS Score
Exploitation Probability
0.536
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2013-1855,CVE-2013-1857 are fixed in Ruby-actionpack 2.3.18 | Windows |
| Vulnerabilities CVE-2013-1855,CVE-2013-1857 are fixed in Ruby-actionpack 3.1.12 | Windows |
| Vulnerabilities CVE-2013-1855,CVE-2013-1857 are fixed in Ruby-actionpack 3.2.13 | Windows |
| Vulnerabilities CVE-2013-1855,CVE-2013-1857 are fixed in Ruby-actionpack for Linux 2.3.18 | Linux |
| Vulnerabilities CVE-2013-1855,CVE-2013-1857 are fixed in Ruby-actionpack for Linux 3.1.12 | Linux |
| Vulnerabilities CVE-2013-1855,CVE-2013-1857 are fixed in Ruby-actionpack for Linux 3.2.13 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234