|Description||In Action View before versions 126.96.36.199 and 188.8.131.52 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 184.108.40.206 and 220.127.116.11. A workaround without upgrading is proposed in the source advisory.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
Vulnerable and fixed packages
The table below lists information on source packages.
|buster, buster (security)||2:18.104.22.168+dfsg-1+deb10u3||fixed|
|bookworm, bullseye, sid||2:22.214.171.124+dfsg-2||fixed|
The information below is based on the following data on fixed versions.