Aaron Patterson of the Ruby on Rails project reports: There is an XSS vulnerability in the number_to_currency, number_to_percentage and number_to_human helpers in Ruby on Rails. Versions Affected: All. Fixed Versions: 4.1.0.beta2, 4.0.3, 3.2.17. Impact ------ These helpers allows users to nicely format a numeric value. Some of the parameters to the helper (format, negative_format and units) are not escaped correctly. Application which pass user controlled data as one of these parameters are vulnerable to an XSS attack. All users passing user controlled data to these parameters of the number helpers should either upgrade or use one of the workarounds immediately.
Created attachment 863436 [details] 3-2-number_helpers_xss.patch
Created attachment 863437 [details] 4-0-number_helpers_xss.patch
Created attachment 863438 [details] 4-1-beta-number_helpers_xss.patch
Acknowledgements: Red Hat would like to thank the Ruby on Rails Project for reporting this issue. Upstream acknowledges Kevin Reintjes as the original reporter.
Created rubygem-actionpack tracking bugs for this issue: Affects: fedora-all [bug 1066666]
Fixed upstream in 3.2.17, 4.0.3, and 4.1.0.beta2: http://weblog.rubyonrails.org/2014/2/18/Rails_3_2_17_4_0_3_and_4_1_0_beta2_have_been_released/ https://groups.google.com/forum/#!topic/ruby-security-ann/1PWnwW4jRkY Upstream commits (3.2, 4.0 and master): https://github.com/rails/rails/commit/eaa2101b294ef546cc3fb35cc3f49c73849ac470 https://github.com/rails/rails/commit/9e2d63d51a5e61bf1b0e7e369805aad84956cbe2 https://github.com/rails/rails/commit/08d0a11a3f62718d601d39e617c834759cf59bbb
rubygem-activerecord-4.0.0-2.fc20, rubygem-actionpack-4.0.0-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: CloudForms Management Engine 5.x Via RHSA-2014:0215 https://rhn.redhat.com/errata/RHSA-2014-0215.html
This issue has been addressed in following products: Red Hat Software Collections for RHEL-6 Via RHSA-2014:0306 https://rhn.redhat.com/errata/RHSA-2014-0306.html
Statement: Red Hat OpenShift Enterprise 1.2 is now in Production 1 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat OpenShift Enterprise Life Cycle: https://access.redhat.com/site/support/policy/updates/openshift.