In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible XSS vulnerability in ActionView's JavaScript literal escape helpers. Views that use the `j` or `escape_javascript` methods may be susceptible to XSS attacks. The issue is fixed in versions 6.0.2.2 and 5.2.4.2.
CVE-2020-5267 - Medium Severity Vulnerability
Vulnerable Library - actionview-5.2.3.gem
Simple, battle-tested conventions and helpers for building web pages.
Library home page: https://rubygems.org/gems/actionview-5.2.3.gem
Dependency Hierarchy: - pundit-matchers-1.6.0.gem (Root Library) - rspec-rails-3.8.2.gem - actionpack-5.2.3.gem - :x: **actionview-5.2.3.gem** (Vulnerable Library)
Found in HEAD commit: e8aa1b3e0f79399ea66767ed9ce2ffeb0b8e7f45
Vulnerability Details
In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible XSS vulnerability in ActionView's JavaScript literal escape helpers. Views that use the `j` or `escape_javascript` methods may be susceptible to XSS attacks. The issue is fixed in versions 6.0.2.2 and 5.2.4.2.
Publish Date: 2020-03-19
URL: CVE-2020-5267
CVSS 3 Score Details (4.8)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5267
Release Date: 2020-03-19
Fix Resolution: actionview:6.0.2.2, 5.2.4.2
Step up your Open Source Security Game with WhiteSource here