CVE-2016-6316

NameCVE-2016-6316
DescriptionCross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handlers.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-604-1, DSA-3651-1
NVD severitymedium (attack range: remote)
Debian Bugs834155

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rails (PTS)wheezy2:2.3.14.2fixed
jessie (security), jessie2:4.1.8-1+deb8u4fixed
stretch2:4.2.7.1-1fixed
buster, sid2:4.2.9-4fixed
ruby-actionpack-3.2 (PTS)wheezy3.2.6-6+deb7u2vulnerable
wheezy (security)3.2.6-6+deb7u3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
railssource(unstable)2:4.2.7.1-1low834155
railssourcejessie2:4.1.8-1+deb8u4mediumDSA-3651-1
railssourcewheezy(not affected)
ruby-actionpack-3.2source(unstable)(unfixed)medium
ruby-actionpack-3.2sourcewheezy3.2.6-6+deb7u3mediumDLA-604-1

Notes

[wheezy] - rails <not-affected> (Vulnerable code not present, is only a transitional package)
https://github.com/rails/rails/commit/4bcccf5ecd81a6272479537911b7d9760c5be164

Search for package or bug name: Reporting problems