{ "threat_severity" : "Moderate", "public_date" : "2013-12-03T00:00:00Z", "bugzilla" : { "description" : "rubygem-actionpack: i18n missing translation XSS", "id" : "1036922", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1036922" }, "cvss" : { "cvss_base_score" : "4.3", "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:N/I:P/A:N", "status" : "verified" }, "cwe" : "CWE-79", "details" : [ "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem.", "It was discovered that the internationalization component of Ruby on Rails could, under certain circumstances, return a fallback HTML string that contained user input. A remote attacker could possibly use this flaw to perform a reflective cross-site scripting (XSS) attack by providing a specially crafted input to an application using the aforementioned component." ], "acknowledgement" : "Red Hat would like to thank Ruby on Rails upstream for reporting this issue. Upstream acknowledges Peter McLarnan as the original reporter.", "affected_release" : [ { "product_name" : "OpenStack 3 for RHEL 6", "release_date" : "2014-01-06T00:00:00Z", "advisory" : "RHSA-2014:0008", "cpe" : "cpe:/a:redhat:openstack:3::el6", "package" : "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6" }, { "product_name" : "Red Hat Software Collections for RHEL-6", "release_date" : "2013-12-05T00:00:00Z", "advisory" : "RHSA-2013:1794", "cpe" : "cpe:/a:redhat:rhel_software_collections:1::el6", "package" : "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6" }, { "product_name" : "Red Hat Subscription Asset Manager 1.4", "release_date" : "2014-11-17T00:00:00Z", "advisory" : "RHSA-2014:1863", "cpe" : "cpe:/a:rhel_sam:1.4::el6", "package" : "katello-0:1.4.3.28-1.el6sam_splice" }, { "product_name" : "Red Hat Subscription Asset Manager 1.4", "release_date" : "2014-11-17T00:00:00Z", "advisory" : "RHSA-2014:1863", "cpe" : "cpe:/a:rhel_sam:1.4::el6", "package" : "ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam" }, { "product_name" : "Red Hat Subscription Asset Manager 1.4", "release_date" : "2014-11-17T00:00:00Z", "advisory" : "RHSA-2014:1863", "cpe" : "cpe:/a:rhel_sam:1.4::el6", "package" : "ruby193-rubygem-actionpack-1:3.2.17-6.el6sam" }, { "product_name" : "Red Hat Subscription Asset Manager 1.4", "release_date" : "2014-11-17T00:00:00Z", "advisory" : "RHSA-2014:1863", "cpe" : "cpe:/a:rhel_sam:1.4::el6", "package" : "ruby193-rubygem-activemodel-1:3.2.17-1.el6sam" }, { "product_name" : "Red Hat Subscription Asset Manager 1.4", "release_date" : "2014-11-17T00:00:00Z", "advisory" : "RHSA-2014:1863", "cpe" : "cpe:/a:rhel_sam:1.4::el6", "package" : "ruby193-rubygem-activerecord-1:3.2.17-5.el6sam" }, { "product_name" : "Red Hat Subscription Asset Manager 1.4", "release_date" : "2014-11-17T00:00:00Z", "advisory" : "RHSA-2014:1863", "cpe" : "cpe:/a:rhel_sam:1.4::el6", "package" : "ruby193-rubygem-activeresource-1:3.2.17-1.el6sam" }, { "product_name" : "Red Hat Subscription Asset Manager 1.4", "release_date" : "2014-11-17T00:00:00Z", "advisory" : "RHSA-2014:1863", "cpe" : "cpe:/a:rhel_sam:1.4::el6", "package" : "ruby193-rubygem-activesupport-1:3.2.17-2.el6sam" }, { "product_name" : "Red Hat Subscription Asset Manager 1.4", "release_date" : "2014-11-17T00:00:00Z", "advisory" : "RHSA-2014:1863", "cpe" : "cpe:/a:rhel_sam:1.4::el6", "package" : "ruby193-rubygem-i18n-0:0.6.9-1.el6sam" }, { "product_name" : "Red Hat Subscription Asset Manager 1.4", "release_date" : "2014-11-17T00:00:00Z", "advisory" : "RHSA-2014:1863", "cpe" : "cpe:/a:rhel_sam:1.4::el6", "package" : "ruby193-rubygem-mail-0:2.5.4-1.el6sam" }, { "product_name" : "Red Hat Subscription Asset Manager 1.4", "release_date" : "2014-11-17T00:00:00Z", "advisory" : "RHSA-2014:1863", "cpe" : "cpe:/a:rhel_sam:1.4::el6", "package" : "ruby193-rubygem-rack-1:1.4.5-3.el6sam" }, { "product_name" : "Red Hat Subscription Asset Manager 1.4", "release_date" : "2014-11-17T00:00:00Z", "advisory" : "RHSA-2014:1863", "cpe" : "cpe:/a:rhel_sam:1.4::el6", "package" : "ruby193-rubygem-rails-1:3.2.17-1.el6sam" }, { "product_name" : "Red Hat Subscription Asset Manager 1.4", "release_date" : "2014-11-17T00:00:00Z", "advisory" : "RHSA-2014:1863", "cpe" : "cpe:/a:rhel_sam:1.4::el6", "package" : "ruby193-rubygem-railties-1:3.2.17-1.el6sam" } ], "package_state" : [ { "product_name" : "CloudForms Management Engine 5", "fix_state" : "Will not fix", "package_name" : "ruby193-rubygem-actionpack", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5" }, { "product_name" : "OpenShift Enterprise 1", "fix_state" : "Will not fix", "package_name" : "ruby193-rubygem-actionpack", "cpe" : "cpe:/a:redhat:openshift:1" }, { "product_name" : "Red Hat OpenStack Platform 4", "fix_state" : "Not affected", "package_name" : "ruby193-rubygem-actionpack", "cpe" : "cpe:/a:redhat:openstack:4" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Affected", "package_name" : "ruby193-rubygem-actionpack", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Not affected", "package_name" : "ror40-rubygem-actionpack", "cpe" : "cpe:/a:redhat:rhel_software_collections:1" }, { "product_name" : "Red Hat Subscription Asset Manager", "fix_state" : "Affected", "package_name" : "rubygem-actionpack", "cpe" : "cpe:/a:rhel_sam:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2013-4491\nhttps://nvd.nist.gov/vuln/detail/CVE-2013-4491" ], "name" : "CVE-2013-4491", "csaw" : false }