CVE-2013-1855

CVSS V2 Medium 4.3 CVSS V3 None
Description
The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences.
Overview
  • CVE ID
  • CVE-2013-1855
  • Assigner
  • secalert@redhat.com
  • Vulnerability Status
  • Modified
  • Published Version
  • 2013-03-19T22:55:01
  • Last Modified Date
  • 2023-02-13T00:28:01
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:1.1.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:1.1.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:1.2.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:1.2.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:1.2.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:1.2.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:1.2.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:1.2.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:1.2.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:1.9.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:2.3.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:2.3.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:2.3.13:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:2.3.14:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:2.3.15:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:2.3.16:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:* 1 OR 2.3.17
cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:rubyonrails:ruby_on_rails:3.1.11:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:M/Au:N/C:N/I:P/A:N
  • Access Vector
  • NETWORK
  • Access Compatibility
  • MEDIUM
  • Authentication
  • NONE
  • Confidentiality Impact
  • NONE
  • Integrity Impact
  • PARTIAL
  • Availability Impact
  • NONE
  • Base Score
  • 4.3
  • Severity
  • MEDIUM
  • Exploitability Score
  • 8.6
  • Impact Score
  • 2.9
History
Created Old Value New Value Data Type Notes
2022-05-10 17:39:04 Added to TrackCVE
2023-02-02 19:03:57 2023-02-02T18:17:19 CVE Modified Date updated
2023-02-02 19:03:57 Analyzed Modified Vulnerability Status updated
2023-02-02 19:03:58 The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences. A cross-site scripting (XSS) flaw was found in Action Pack. A remote attacker could use this flaw to conduct XSS attacks against users of an application using Action Pack. Description updated
2023-02-02 19:04:05 References updated
2023-02-13 01:04:14 2023-02-13T00:28:01 CVE Modified Date updated
2023-02-13 01:04:15 A cross-site scripting (XSS) flaw was found in Action Pack. A remote attacker could use this flaw to conduct XSS attacks against users of an application using Action Pack. The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences. Description updated