CVE-2020-5267 MEDIUM

CVE-2020-5267: Possible XSS vulnerability in ActionView

Vendor Rails
Product actionview
Weakness CWE-80 · XSS · basic
Published March 19, 2020
Last update August 4, 2024

CVSS base score

4.0/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible XSS vulnerability in ActionView's JavaScript literal escape helpers. Views that use the `j` or `escape_javascript` methods may be susceptible to XSS attacks. The issue is fixed in versions 6.0.2.2 and 5.2.4.2.

Key dates

02Disclosure timeline

March 19, 2020 CVE published
August 4, 2024 Record updated