Update CVSS v2 Base Score on actionpack gem advisories

gems/actionpack/CVE-2014-0130.yml

@@ -15,7 +15,7 @@ description: |
   use a specially crafted request to retrieve arbitrary files from the
   rails application server.
 
-cvss_v2: 
+cvss_v2: 4.3
 
 patched_versions:
   - ~> 3.2.18

gems/actionpack/CVE-2014-7818.yml

@@ -12,7 +12,7 @@ description: |
   files will not be served, but attackers can determine whether or not the file
   exists.
 
-cvss_v2:
+cvss_v2: 4.3
 
 patched_versions:
   - ~> 3.2.20

gems/actionpack/CVE-2014-7829.yml

@@ -13,7 +13,7 @@ description: |
   exists.  This vulnerability is very similar to CVE-2014-7818, but the
   specially crafted string is slightly different.
 
-cvss_v2:
+cvss_v2: 5.0
 
 patched_versions:
   - ~> 3.2.21

gems/actionpack/OSVDB-100524.yml

@@ -13,7 +13,7 @@ description: |
   of the parameters to the helper (unit) is not escaped correctly.  Applications
   which pass user controlled data as the unit parameter are vulnerable to an XSS attack.
 
-cvss_v2: 
+cvss_v2: 4.3
 
 patched_versions:
   - ~> 3.2.16

gems/actionpack/OSVDB-100525.yml

@@ -8,10 +8,10 @@ title: Denial of Service Vulnerability in Action View
 date: 2013-12-03
 
 description: |
-  There is a denial of service vulnerability in the header handling component of 
+  There is a denial of service vulnerability in the header handling component of
   Action View.
 
-cvss_v2: 
+cvss_v2: 5.0
 
 unaffected_versions:
   - ~> 2.3.0

gems/actionpack/OSVDB-100526.yml

@@ -9,14 +9,14 @@ date: 2013-12-03
 
 description: |
   There is a vulnerability in the simple_format helper in Ruby on Rails.
-  The simple_format helper converts user supplied text into html text 
-  which is intended to be safe for display. A change made to the 
-  implementation of this helper means that any user provided HTML 
-  attributes will not be escaped correctly. As a result of this error, 
-  applications which pass user-controlled data to be included as html 
+  The simple_format helper converts user supplied text into html text
+  which is intended to be safe for display. A change made to the
+  implementation of this helper means that any user provided HTML
+  attributes will not be escaped correctly. As a result of this error,
+  applications which pass user-controlled data to be included as html
   attributes will be vulnerable to an XSS attack.
 
-cvss_v2: 
+cvss_v2: 4.3
 
 unaffected_versions:
   - ~> 2.3.0

gems/actionpack/OSVDB-100527.yml

@@ -15,9 +15,9 @@ description: |
   parameters insecurely and store them in the same key that Rails uses
   for its own parameters.  In the event that happens the application
   will receive unsafe parameters and could be vulnerable to the earlier
-  vulnerability. 
+  vulnerability.
 
-cvss_v2: 
+cvss_v2: 6.4
 
 patched_versions:
   - ~> 3.2.16

gems/actionpack/OSVDB-100528.yml

@@ -11,11 +11,11 @@ description: |
   There is a vulnerability in the internationalization component of Ruby on
   Rails. Under certain common configurations an attacker can provide specially
   crafted input which will execute a reflective XSS attack.
-  
+
   The root cause of this issue is a vulnerability in the i18n gem which has
   been assigned the identifier CVE-2013-4492.
 
-cvss_v2: 
+cvss_v2: 4.3
 
 patched_versions:
   - ~> 3.2.16

gems/actionpack/OSVDB-103439.yml

@@ -16,7 +16,7 @@ description: |
   script code in a user's browser session within the trust relationship between
   their browser and the server.
 
-cvss_v2: 
+cvss_v2: 4.3
 
 patched_versions:
   - ~> 3.2.17

gems/actionpack/OSVDB-103440.yml

@@ -13,7 +13,7 @@ description: |
   handling MIME types that are converted to symbols. This may allow a
   remote attacker to cause a denial of service.
 
-cvss_v2: 
+cvss_v2: 5.0
 
 unaffected_versions:
   - ~> 4.0.0

gems/actionpack/OSVDB-84243.yml

@@ -1,10 +1,10 @@
---- 
+---
 gem: actionpack
 framework: rails
 cve: 2012-3424
 osvdb: 84243
 url: http://www.osvdb.org/show/osvdb/84243
-title: 
+title:
   Ruby on Rails actionpack/lib/action_controller/metal/http_authentication.rb
   with_http_digest Helper Method Remote DoS
 date: 2012-07-26
@@ -16,12 +16,12 @@ description: |
   with_http_digest helper method is being used. This may allow a remote
   attacker to cause a loss of availability for the program.
 
-cvss_v2: 4.3
+cvss_v2: 5.0
 
 unaffected_versions:
   - ">= 2.3.5, <= 2.3.14"
 
-patched_versions: 
+patched_versions:
   - ~> 3.0.16
   - ~> 3.1.7
   - ">= 3.2.7"

gems/actionpack/OSVDB-91452.yml

@@ -1,4 +1,4 @@
---- 
+---
 gem: actionpack
 framework: rails
 cve: 2013-1855
@@ -7,14 +7,14 @@ url: http://www.osvdb.org/show/osvdb/91452
 title: XSS vulnerability in sanitize_css in Action Pack
 date: 2013-03-19
 
-description: | 
+description: |
   There is an XSS vulnerability in the `sanitize_css` method in Action
   Pack. Carefully crafted text can bypass the sanitization provided in
   the `sanitize_css` method in Action Pack
 
-cvss_v2: 4.0
+cvss_v2: 4.3
 
-patched_versions: 
+patched_versions:
   - ~> 2.3.18
   - ~> 3.1.12
   - ">= 3.2.13"

gems/actionpack/OSVDB-91454.yml

@@ -1,4 +1,4 @@
---- 
+---
 gem: actionpack
 framework: rails
 cve: 2013-1857
@@ -7,17 +7,17 @@ url: http://osvdb.org/show/osvdb/91454
 title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
 date: 2013-03-19
 
-description: | 
+description: |
   The sanitize helper in Ruby on Rails is designed to
   filter HTML and remove all tags and attributes which could be
   malicious. The code which ensured that URLs only contain supported
   protocols contained several bugs which could allow an attacker to
   embed a tag containing a URL which executes arbitrary javascript
   code.
 
-cvss_v2: 4.0
+cvss_v2: 4.3
 
-patched_versions: 
+patched_versions:
   - ~> 2.3.18
   - ~> 3.1.12
   - ">= 3.2.13"