|Description||In Action View before versions 18.104.22.168 and 22.214.171.124 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 126.96.36.199 and 188.8.131.52. A workaround without upgrading is proposed in the source advisory.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
Vulnerable and fixed packages
The table below lists information on source packages.
|buster, buster (security)||2:184.108.40.206+dfsg-1+deb10u2||fixed|
The information below is based on the following data on fixed versions.