{
  "threat_severity" : "Moderate",
  "public_date" : "2013-03-18T00:00:00Z",
  "bugzilla" : {
    "description" : "rubygem-actionpack: css_sanitization: XSS vulnerability in sanitize_css",
    "id" : "921331",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=921331"
  },
  "cvss" : {
    "cvss_base_score" : "4.3",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:N/I:P/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-79",
  "details" : [ "The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \\n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences.", "A cross-site scripting (XSS) flaw was found in Action Pack. A remote attacker could use this flaw to conduct XSS attacks against users of an application using Action Pack." ],
  "acknowledgement" : "Red Hat would like to thank Ruby on Rails upstream for reporting this issue. Upstream acknowledges Charlie Somerville as the original reporter.",
  "affected_release" : [ {
    "product_name" : "Red Hat Subscription Asset Manager 1.4",
    "release_date" : "2014-11-17T00:00:00Z",
    "advisory" : "RHSA-2014:1863",
    "cpe" : "cpe:/a:rhel_sam:1.4::el6",
    "package" : "katello-0:1.4.3.28-1.el6sam_splice"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager 1.4",
    "release_date" : "2014-11-17T00:00:00Z",
    "advisory" : "RHSA-2014:1863",
    "cpe" : "cpe:/a:rhel_sam:1.4::el6",
    "package" : "ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager 1.4",
    "release_date" : "2014-11-17T00:00:00Z",
    "advisory" : "RHSA-2014:1863",
    "cpe" : "cpe:/a:rhel_sam:1.4::el6",
    "package" : "ruby193-rubygem-actionpack-1:3.2.17-6.el6sam"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager 1.4",
    "release_date" : "2014-11-17T00:00:00Z",
    "advisory" : "RHSA-2014:1863",
    "cpe" : "cpe:/a:rhel_sam:1.4::el6",
    "package" : "ruby193-rubygem-activemodel-1:3.2.17-1.el6sam"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager 1.4",
    "release_date" : "2014-11-17T00:00:00Z",
    "advisory" : "RHSA-2014:1863",
    "cpe" : "cpe:/a:rhel_sam:1.4::el6",
    "package" : "ruby193-rubygem-activerecord-1:3.2.17-5.el6sam"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager 1.4",
    "release_date" : "2014-11-17T00:00:00Z",
    "advisory" : "RHSA-2014:1863",
    "cpe" : "cpe:/a:rhel_sam:1.4::el6",
    "package" : "ruby193-rubygem-activeresource-1:3.2.17-1.el6sam"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager 1.4",
    "release_date" : "2014-11-17T00:00:00Z",
    "advisory" : "RHSA-2014:1863",
    "cpe" : "cpe:/a:rhel_sam:1.4::el6",
    "package" : "ruby193-rubygem-activesupport-1:3.2.17-2.el6sam"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager 1.4",
    "release_date" : "2014-11-17T00:00:00Z",
    "advisory" : "RHSA-2014:1863",
    "cpe" : "cpe:/a:rhel_sam:1.4::el6",
    "package" : "ruby193-rubygem-i18n-0:0.6.9-1.el6sam"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager 1.4",
    "release_date" : "2014-11-17T00:00:00Z",
    "advisory" : "RHSA-2014:1863",
    "cpe" : "cpe:/a:rhel_sam:1.4::el6",
    "package" : "ruby193-rubygem-mail-0:2.5.4-1.el6sam"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager 1.4",
    "release_date" : "2014-11-17T00:00:00Z",
    "advisory" : "RHSA-2014:1863",
    "cpe" : "cpe:/a:rhel_sam:1.4::el6",
    "package" : "ruby193-rubygem-rack-1:1.4.5-3.el6sam"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager 1.4",
    "release_date" : "2014-11-17T00:00:00Z",
    "advisory" : "RHSA-2014:1863",
    "cpe" : "cpe:/a:rhel_sam:1.4::el6",
    "package" : "ruby193-rubygem-rails-1:3.2.17-1.el6sam"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager 1.4",
    "release_date" : "2014-11-17T00:00:00Z",
    "advisory" : "RHSA-2014:1863",
    "cpe" : "cpe:/a:rhel_sam:1.4::el6",
    "package" : "ruby193-rubygem-railties-1:3.2.17-1.el6sam"
  }, {
    "product_name" : "RHEL 6 Version of OpenShift Enterprise",
    "release_date" : "2013-04-02T00:00:00Z",
    "advisory" : "RHSA-2013:0698",
    "cpe" : "cpe:/a:redhat:openshift:1::el6",
    "package" : "ruby193-rubygem-actionpack-1:3.2.8-5.el6"
  }, {
    "product_name" : "RHEL 6 Version of OpenShift Enterprise",
    "release_date" : "2013-04-02T00:00:00Z",
    "advisory" : "RHSA-2013:0698",
    "cpe" : "cpe:/a:redhat:openshift:1::el6",
    "package" : "rubygem-actionpack-1:3.0.13-8.el6op"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Affected",
    "package_name" : "ruby193-rubygem-actionpack",
    "cpe" : "cpe:/a:redhat:satellite:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2013-1855\nhttps://nvd.nist.gov/vuln/detail/CVE-2013-1855" ],
  "name" : "CVE-2013-1855",
  "csaw" : false
}