CVE-2013-1855
actionpack Cross-site Scripting vulnerability
EPSS 0.54%
Description
The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences.
How to fix CVE-2013-1855
To remediate CVE-2013-1855, upgrade the affected package to a fixed version below.
- Debian/rails—upgrade to 2.3.14.1 or later
- —upgrade to 2.3.18 or later
Is CVE-2013-1855 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 2.3.14.1
- from 0, < 2.3.18