Quoting from an upcoming Ruby on Rails security advisory: XSS Vulnerability in simple_format helper There is a vulnerability in the simple_format helper in Ruby on Rails. This vulnerability has been assigned the CVE identifier CVE-2013-6416. Versions Affected: 4.0.0 & 4.0.1 Not affected: Versions prior to 4.0 Fixed Versions: 4.0.2 Impact ------ The simple_format helper converts user supplied text into html text which is intended to be safe for display. A change made to the implementation of this helper means that any user provided HTML attributes will not be escaped correctly. As a result of this error, applications which pass user-controlled data to be included as html attributes will be vulnerable to an XSS attack. All users running an affected release and passing user-controlled html attributes to simple_format should either upgrade or use one of the work arounds immediately. Releases -------- The 4.0.2 release is available at the normal locations. Credits ------- Thanks to Kevin Reintjes for reporting the vulnerability to us and helping us work on a fix.
Created attachment 831793 [details] Upstream patch for 4.0.x
Fixed upstream in 4.0.2: http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/ https://groups.google.com/forum/#!topic/ruby-security-ann/5ZI1-H5OoIM http://seclists.org/oss-sec/2013/q4/404 Upstream commit: https://github.com/rails/rails/commit/4b4f5847f64f81c961625e647711ef9f6ad1a454
This issue only affected Ruby on Rails 4.0, which is not shipped as part of any Red Hat product. Statement: Not vulnerable. This issue did not affect the versions of rubygem-actionpack as shipped with various Red Hat products.