Miggo Logo

CVE-2016-6316: actionview Cross-site Scripting vulnerability

6.1

CVSS Score
3.0

Basic Information

EPSS Score
0.83687%
Published
10/24/2017
Updated
11/6/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
actionviewrubygems>= 3.0.0, <= 3.2.22.23.2.22.3
actionviewrubygems>= 4.0.0, <= 4.2.74.2.7.1
actionviewrubygems= 5.0.05.0.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how HTML-safe strings were handled in tag attributes. The tag_options method in TagHelper is responsible for converting hash options to HTML attributes. When values were marked as HTML-safe (via .html_safe or sanitize), quote characters in attribute values were not properly escaped. This allowed attackers to break out of attribute contexts and inject arbitrary scripts. The patches for this CVE specifically modified tag_options handling to ensure quote escaping even for HTML-safe strings, confirming this as the vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* s*riptin* (XSS) vuln*r**ility in **tion Vi*w in Ru*y on R*ils *.x ***or* *.*.**.*, *.x ***or* *.*.*.*, *n* *.x ***or* *.*.*.* mi**t *llow r*mot* *tt**k*rs to inj**t *r*itr*ry w** s*ript or *TML vi* t*xt ***l*r** *s "*TML s***" *n* us** *s

Reasoning

T** vuln*r**ility st*ms *rom *ow *TML-s*** strin*s w*r* **n*l** in t** *ttri*ut*s. T** t**_options m*t*o* in T****lp*r is r*sponsi*l* *or *onv*rtin* **s* options to *TML *ttri*ut*s. W**n v*lu*s w*r* m*rk** *s *TML-s*** (vi* .*tml_s*** or s*nitiz*), q