Bug 1036914 (CVE-2013-6416) - CVE-2013-6416 rubygem-actionpack: simple_format XSS
Summary: CVE-2013-6416 rubygem-actionpack: simple_format XSS
Alias: CVE-2013-6416
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1036421
Blocks: 1036411
TreeView+ depends on / blocked
Reported: 2013-12-02 21:47 UTC by Tomas Hoger
Modified: 2021-02-17 07:07 UTC (History)
13 users (show)

Fixed In Version: rubygem-actionpack 4.0.2
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-12-16 14:59:59 UTC

Attachments (Terms of Use)
Upstream patch for 4.0.x (1.11 KB, patch)
2013-12-02 21:49 UTC, Tomas Hoger
no flags Details | Diff

Description Tomas Hoger 2013-12-02 21:47:29 UTC
Quoting from an upcoming Ruby on Rails security advisory:

XSS Vulnerability in simple_format helper 

There is a vulnerability in the simple_format helper in Ruby on Rails. This vulnerability has been assigned the CVE identifier CVE-2013-6416.

Versions Affected:  4.0.0 & 4.0.1
Not affected:       Versions prior to 4.0
Fixed Versions:     4.0.2

The simple_format helper converts user supplied text into html text which is intended to be safe for display.  A change  made to the implementation of this helper means that any user provided HTML attributes will not be escaped correctly.  As a result of this error, applications which pass user-controlled data to be included as html attributes will be vulnerable to an XSS attack.

All users running an affected release and passing user-controlled html attributes to simple_format should either upgrade or use one of the work arounds immediately. 

The 4.0.2 release is available at the normal locations. 

Thanks to Kevin Reintjes for reporting the vulnerability to us and helping us work on a fix.

Comment 1 Tomas Hoger 2013-12-02 21:49:45 UTC
Created attachment 831793 [details]
Upstream patch for 4.0.x

Comment 3 Tomas Hoger 2013-12-16 14:59:59 UTC
This issue only affected Ruby on Rails 4.0, which is not shipped as part of any Red Hat product.


Not vulnerable. This issue did not affect the versions of rubygem-actionpack as shipped with various Red Hat products.

Note You need to log in before you can comment on or make changes to this bug.