|Description||In Action View before versions 220.127.116.11 and 18.104.22.168 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 22.214.171.124 and 126.96.36.199. A workaround without upgrading is proposed in the source advisory.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)|
Vulnerable and fixed packages
The table below lists information on source packages.
|bullseye (security), bullseye||2:188.8.131.52+dfsg-2+deb11u2||fixed|
The information below is based on the following data on fixed versions.