QwikSec

Security Database

CVE

CWE

Training

CVE-2013-1855

Published: Mar 19, 2013

Modified: Aug 6, 2024

PUBLISHED

Description

The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

APPLE-SA-2013-10-22-5

vendor-advisory

x_refsource_APPLE

[rubyonrails-security] 20130318 [CVE-2013-1855] XSS vulnerability in sanitize_css in Action Pack

mailing-list

x_refsource_MLIST

openSUSE-SU-2014:0019

vendor-advisory

x_refsource_SUSE

openSUSE-SU-2013:0662

vendor-advisory

x_refsource_SUSE

http://support.apple.com/kb/HT5784

x_refsource_CONFIRM

vendor-advisory

x_refsource_REDHAT

APPLE-SA-2013-06-04-1

vendor-advisory

x_refsource_APPLE

openSUSE-SU-2013:0661

vendor-advisory

x_refsource_SUSE

vendor-advisory

x_refsource_REDHAT

http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.