漏洞类别:CGI
漏洞等级: 
漏洞信息
Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handlers.
漏洞危害
Successful exploitation could allow an attacker to execute arbitrary HTML and script code in a user's browser session under the context of the site. This may allow the attacker to access sensitive browser-based information such as authentication cookies and recently submitted data.
解决方案
Update to the patched versions
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0daybank
文章评论