CVE-2013-1855 — MEDIUM (4.3)

Q: How severe is CVE-2013-1855?

CVE-2013-1855 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2013-1855?

Check the references section above for vendor advisories and patch information. Affected products include: Rubyonrails Rails, Rubyonrails Ruby On Rails, Redhat Enterprise Linux.

Vulnerability Description

The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences.

CVSS Score

4.3

MEDIUM

AV:N/AC:M/Au:N/C:N/I:P/A:N

Confidentiality

NONE

Integrity

PARTIAL

Availability

NONE

Affected Products

Vendor	Product	Versions
Rubyonrails	Rails	3.2.0
Rubyonrails	Ruby On Rails	<= 2.3.17
Redhat	Enterprise Linux	6.0

Related Weaknesses (CWE)

CWE-79

References

FAQ

What is CVE-2013-1855?

CVE-2013-1855 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2....

How severe is CVE-2013-1855?

CVE-2013-1855 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2013-1855?

Check the references section above for vendor advisories and patch information. Affected products include: Rubyonrails Rails, Rubyonrails Ruby On Rails, Redhat Enterprise Linux.