Homepage

Cross-site Scripting (XSS) Affecting activesupport package, versions < 4.2.2, >= 4.2< 4.1.11, >= 4.1.0

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.25% (66th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cross-site Scripting (XSS) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-RUBY-ACTIVESUPPORT-20228
  • published15 Jun 2015
  • disclosed15 Jun 2015
  • creditFrancois Chagnon
Report a new vulnerability Found a mistake?

Introduced: 15 Jun 2015

CVE-2015-3226  (opens in a new tab)
CWE-79  (opens in a new tab)

Overview

activesupport is toolkit of support libraries and Ruby core extensions extracted from the Rails framework

Rails does not perform adequate escaping when a Hash containing user-controlled data is encoded as JSON

When a Hash containing user-controlled data is encoded as JSON (either through Hash#to_json or ActiveSupport::JSON.encode), Rails does not perform adequate escaping that matches the guarantee implied by the escape_html_entities_in_json option (which is enabled by default). If this resulting JSON string is subsequently inserted directly into an HTML page, the page will be vulnerable to XSS attacks.

For example, the following code snippet is vulnerable to this attack:

<%= javascript_tag "var data = #{user_supplied_data.to_json};" %>

Similarly, the following is also vulnerable:

<script>
  var data = <%= ActiveSupport::JSON.encode(user_supplied_data).html_safe %>;
</script>

All applications that renders JSON-encoded strings that contains user-controlled data in their views should either upgrade to one of the FIXED versions or use the suggested workaround immediately.

Details

<>

CVSS Scores

version 3.1