Red Hat Bugzilla – Bug 1036910
CVE-2013-6415 rubygem-actionpack: number_to_currency XSS
Last modified: 2016-04-26 12:42:27 EDT
Quoting from an upcoming Ruby on Rails security advisory: XSS Vulnerability in number_to_currency There is an XSS vulnerability in the number_to_currency helper in Ruby on Rails. This vulnerability has been assigned the CVE identifier CVE-2013-6415. Versions Affected: All. Fixed Versions: 4.0.2, 3.2.16. Impact ------ The number_to_currency helper allows users to nicely format a numeric value. One of the parameters to the helper (unit) is not escaped correctly. Application which pass user controlled data as the unit parameter are vulnerable to an XSS attack. All users passing user controlled data as number_to_currency's unit parameters should either upgrade or use one of the workarounds immediately. Releases -------- The 4.0.2 and 3.2.16 releases are available at the normal locations. Credits ------- Thanks to Ankit Gupta for reporting the issue to us and working with us on a fix.
Created attachment 831790 [details] Upstream patch for 3.2.x
Created attachment 831792 [details] Upstream patch for 4.0.x
Fixed upstream in 3.2.16 and 4.0.2: http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/ https://groups.google.com/forum/#!topic/ruby-security-ann/9WiRn2nhfq0 http://seclists.org/oss-sec/2013/q4/402 Upstream commits (3.2 and 4.0): https://github.com/rails/rails/commit/5ed70c591fa086d745b35a16713d91fc0e3ec858 https://github.com/rails/rails/commit/6658782d60651a65efc43b621225543dd30125c5
This issue has been addressed in following products: Red Hat Software Collections for RHEL-6 Via RHSA-2013:1794 https://rhn.redhat.com/errata/RHSA-2013-1794.html
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2014:0008 https://rhn.redhat.com/errata/RHSA-2014-0008.html
Acknowledgements: Red Hat would like to thank Ruby on Rails upstream for reporting this issue. Upstream acknowledges Ankit Gupta as the original reporter.
IssueDescription: It was found that the number_to_currency Action View helper did not properly escape the unit parameter. An attacker could use this flaw to perform a cross-site scripting (XSS) attack on an application that uses data submitted by a user in the unit parameter.
This issue has been addressed in the following products: Red Hat Subscription Asset Manager 1.4 Via RHSA-2014:1863 https://rhn.redhat.com/errata/RHSA-2014-1863.html