1. Home
  2. CVE Database
  3. CVE-2020-15169
MEDIUM · 5.4

CVE-2020-15169

In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default ...

Vulnerability Description

In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE

Affected Products

VendorProductVersions
Action View ProjectAction View< 5.2.4.4
DebianDebian Linux10.0
FedoraprojectFedora33

Related Weaknesses (CWE)

CWE-79

References

FAQ

What is CVE-2020-15169?

CVE-2020-15169 is a vulnerability with a CVSS score of 5.4 (MEDIUM). In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default ...

How severe is CVE-2020-15169?

CVE-2020-15169 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-15169?

Check the references section above for vendor advisories and patch information. Affected products include: Action View Project Action View, Debian Debian Linux, Fedoraproject Fedora.