CVE-2013-6416: actionpack Cross-site Scripting vulnerability
4.3
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.46484%
CWE
Published
10/24/2017
Updated
7/26/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
AV:N/AC:M/Au:N/C:N/I:P/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
actionpack | rubygems | >= 4.0.0, < 4.0.2 | 4.0.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from how simple_format
handled the html_options
parameter when generating HTML tags. The pre-patch code passed options[:sanitize]
as the escape flag for content, conflating content sanitization with attribute escaping. This allowed unescaped, user-controlled attributes (e.g., event handlers) to be rendered directly into the HTML output. The fix removed this flawed logic and ensured attributes are properly escaped by default via Rails' content_tag
handling, as shown in the commit diff modifying the content_tag
invocation.