Back to search
CVE-2020-5267
Published: Mar 19, 2020
Modified: Aug 4, 2024
PUBLISHED
CVSS v3.1
4.0
MEDIUM
Description
In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible XSS vulnerability in ActionView's JavaScript literal escape helpers. Views that use the `j` or `escape_javascript` methods may be susceptible to XSS attacks. The issue is fixed in versions 6.0.2.2 and 5.2.4.2.
| Vendor | Product | Versions |
|---|---|---|
rails | actionview | affected < 5.2.4.2affected >= 6.0.0, < 6.0.2.2 |
Weaknesses (CWE)
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
References
https://github.com/rails/rails/security/advisories/GHSA-65cv-r6x7-79hv
x_refsource_CONFIRM
[oss-security] 20200319 [CVE-2020-5267] Possible XSS vulnerability in ActionView
mailing-list
x_refsource_MLIST
[debian-lts-announce] 20200320 [SECURITY] [DLA 2149-1] rails security update
mailing-list
x_refsource_MLIST
openSUSE-SU-2020:0627
vendor-advisory
x_refsource_SUSE
FEDORA-2020-4dd34860a3
vendor-advisory
x_refsource_FEDORA
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now