-
-
Notifications
You must be signed in to change notification settings - Fork 218
/
CVE-2020-15169.yml
43 lines (37 loc) · 1.51 KB
/
CVE-2020-15169.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
---
gem: actionview
framework: rails
cve: 2020-15169
ghsa: cfjv-5498-mph5
url: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc
title: Potential XSS vulnerability in Action View
date: 2020-09-09
description: |
There is a potential Cross-Site Scripting (XSS) vulnerability in Action
View's translation helpers. Views that allow the user to control the
default (not found) value of the `t` and `translate` helpers could be
susceptible to XSS attacks.
Impact
------
When an HTML-unsafe string is passed as the default for a missing
translation key [named `html` or ending in `_html`](https://guides.rubyonrails.org/i18n.html#using-safe-html-translations),
the default string is incorrectly marked as HTML-safe and not escaped.
Vulnerable code may look like the following examples:
```erb
<%# The welcome_html translation is not defined for the current locale: %>
<%= t("welcome_html", default: untrusted_user_controlled_string) %>
<%# Neither the title.html translation nor the missing.html translation is defined for the current locale: %>
<%= t("title.html", default: [:"missing.html", untrusted_user_controlled_string]) %>
```
Workarounds
-----------
Impacted users who can’t upgrade to a patched Rails version can avoid
this issue by manually escaping default translations with the
`html_escape` helper (aliased as `h`):
```erb
<%= t("welcome_html", default: h(untrusted_user_controlled_string)) %>
```
cvss_v3: 5.4
patched_versions:
- "~> 5.2.4, >= 5.2.4.4"
- ">= 6.0.3.3"