4.3
CVSSv2

CVE-2013-4491

Published: 07/12/2013 Updated: 08/08/2019
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Summary

Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x prior to 3.2.16 and 4.x prior to 4.0.2 allows remote malicious users to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem.

Affected Products

Vendor Product Versions
RubyonrailsRails3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.16, 3.0.17, 3.0.18, 3.0.19, 3.0.20, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.2.12, 3.2.13, 4.0.0, 4.0.1
RubyonrailsRuby On Rails3.0.4, 3.1.11, 3.2.14, 3.2.15

Vendor Advisories

Synopsis Important: ruby193-rubygem-actionpack security update Type/Severity Security Advisory: Important Topic Updated ruby193-rubygem-actionpack packages that fix multiple securityissues are now available for Red Hat OpenStack 30The Red Hat Security Response Team has rated this update as havingimportant ...
Synopsis Important: ruby193-rubygem-actionpack security update Type/Severity Security Advisory: Important Topic Updated ruby193-rubygem-actionpack packages that fix multiple securityissues are now available for Red Hat Software Collections 1The Red Hat Security Response Team has rated this update as having ...
It was discovered that the internationalization component of Ruby on Rails could, under certain circumstances, return a fallback HTML string that contained user input A remote attacker could possibly use this flaw to perform a reflective cross-site scripting (XSS) attack by providing a specially crafted input to an application using the aforementi ...
Debian Bug report logs - #731290 ruby-actionpack-40: multiple vulnerabilities [CVE-2013-6414 CVE-2013-4491 CVE-2013-6415 CVE-2013-6417 CVE-2013-6416] Package: ruby-actionpack-40; Maintainer for ruby-actionpack-40 is (unknown); Reported by: Antonio Terceiro <terceiro@debianorg> Date: Wed, 4 Dec 2013 01:09:01 UTC Severi ...
Debian Bug report logs - #731288 ruby-actionpack-32: multiple vulnerabilities [CVE-2013-6414 CVE-2013-4491 CVE-2013-6415 CVE-2013-6417 CVE-2013-6416] Package: ruby-actionpack-32; Maintainer for ruby-actionpack-32 is (unknown); Reported by: Antonio Terceiro <terceiro@debianorg> Date: Wed, 4 Dec 2013 01:09:01 UTC Severi ...