Version 8.0.0

actionview

Ruby on Rails

Install Instructions

gem install actionview
Current Version Release Date November 07, 2024
Language Ruby
Package URL (purl) pkg:gem/actionview@8.0.0

Find actionview vulnerabilities in your supply chain.

Scan for Free

actionview Vulnerabilities

Sort by
icon CVE (Latest)
  • icon CVE (Latest)
  • icon CVE (Oldest)
  • icon CVSS Score (Highest)
  • icon CVSS Score (Lowest)
CVE question mark icon CVSS Score question mark icon CWE(s) question mark icon EPSS Score question mark icon EPSS % question mark icon Impacted Versions
CVE-2019-5418 High 7.5 CWE-22 0.97415 0.99952
  • 5.0.0–5.2.2.rc1
  • 4.1.0–4.2.11
CVE-2019-5419 High 7.5 CWE-400, CWE-770 0.00282 0.69329
  • 6.0.0.beta1–6.0.0.beta2
  • 5.0.0–5.2.2.rc1
  • 4.1.0–4.2.11
CVE-2020-15169 Medium 6.1 CWE-79 0.02192 0.89803
  • 6.0.0–6.0.3.2
  • 5.0.0–5.2.4.3
  • 4.1.0–4.2.11.3
CVE-2020-5267 Medium 4.8 CWE-80, CWE-79 0.00121 0.47871
  • 6.0.0–6.0.2.1
  • 5.0.0–5.2.4.1
  • 4.1.0–4.2.11.3
CVE-2020-8167 Medium 6.5 CWE-352 0.00219 0.60664
  • 6.0.0–6.0.3.rc1
  • 5.0.0–5.2.4.2
CVE-2022-27777 Medium 6.1 CWE-79 0.0008 0.36114
  • 7.0.0–7.0.2.3
  • 6.0.0–6.1.5
  • 5.0.0–5.2.7
  • 4.1.0–4.2.11.3
CVE-2023-23913 Unknown None None
  • 7.0.0–7.0.4.2
  • 6.0.0–6.1.7.2
  • 5.1.0–5.2.8.1
CVE-2016-0752 High 7.5 CWE-22, CWE-200 0.9719 0.9986
  • 4.1.0–4.2.5.rc2
CVE-2016-2097 Medium 5.3 CWE-22, CWE-200 0.01099 0.85014
  • 4.1.0–4.1.14.1
CVE-2016-6316 Medium 6.1 CWE-79 0.00305 0.70506
  • 5.0.0
  • 4.1.0–4.2.8.rc1
CVE-2020-8163 High 8.8 CWE-94 0.96502 0.9965
  • 4.1.0–4.2.11.1

actionview Vulnerability Remediation Guidance

CVE Description Full list of Impacted Versions Fix
CVE-2023-23913 NOTE: rails-ujs is part of Rails/actionview since 5.1.0. There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML content from the clipboard that includes a data-method, data-remote or data-disable-with attribute. This vulnerability has been assigned the CVE identifier CVE-2023-23913. Not affected: < 5.1.0 Versions Affected: >= 5.1.0 Fixed Versions: 6.1.7.3, 7.0.4.3 Impact If the specified malicious HTML clipboard content is provided to a contenteditable element, this could result in the arbitrary execution of javascript on the origin in question. Releases The FIXED releases are available at the normal locations. Workarounds We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can attempt to mitigate this vulnerability by removing the contenteditable attribute from elements in pages that rails-ujs will interact with. Patches To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * rails-ujs-data-method-contenteditable-6-1.patch - Patch for 6.1 series * rails-ujs-data-method-contenteditable-7-0.patch - Patch for 7.0 series Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits We would like to thank ryotak 15 for reporting this! * rails-ujs-data-method-contenteditable-6-1.patch (8.5 KB) * rails-ujs-data-method-contenteditable-7-0.patch (8.5 KB) * rails-ujs-data-method-contenteditable-main.patch (8.9 KB) 5.1.2.rc1, 6.0.0, 5.2.4.3, 5.2.2, 5.1.0, 5.1.6.1, 5.1.6, 5.1.4 (Show all) Patch → 6.1.7.3
CVE-2022-27777 A XSS Vulnerability in Action View tag helpers >= 5.2.0 and < 5.2.0 which would allow an attacker to inject content if able to control input into specific attributes. 5.1.2.rc1, 5.0.5, 6.0.0, 5.2.4.3, 4.1.13.rc1, 4.2.0.beta3, 5.2.2, 5.1.0 (Show all) Patch → 6.1.7.3
CVE-2020-8167 A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains. 5.1.2.rc1, 5.0.5, 6.0.0, 5.2.2, 5.1.0, 5.1.6.1, 5.1.6, 5.1.4 (Show all) Patch → 6.1.7.3
CVE-2020-8163 The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE. 4.1.13.rc1, 4.2.0.beta3, 4.2.2, 4.2.0.beta1, 4.2.3, 4.2.0.rc3, 4.1.16.rc1, 4.1.10 (Show all) Patch → 6.1.7.3
CVE-2020-5267 In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible XSS vulnerability in ActionView's JavaScript literal escape helpers. Views that use the `j` or `escape_javascript` methods may be susceptible to XSS attacks. The issue is fixed in versions 6.0.2.2 and 5.2.4.2. 5.1.2.rc1, 5.0.5, 6.0.0, 4.1.13.rc1, 4.2.0.beta3, 5.2.2, 5.1.0, 5.1.6.1 (Show all) Patch → 6.1.7.3
CVE-2020-15169 In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory. 5.1.2.rc1, 5.0.5, 6.0.0, 5.2.4.3, 4.1.13.rc1, 4.2.0.beta3, 5.2.2, 5.1.0 (Show all) Patch → 6.1.7.3
CVE-2019-5419 There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive. 5.1.2.rc1, 5.0.5, 4.1.13.rc1, 4.2.0.beta3, 5.2.2, 5.1.0, 5.1.6.1, 5.1.6 (Show all) Patch → 6.1.7.3
CVE-2019-5418 There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed. 5.1.2.rc1, 5.0.5, 4.1.13.rc1, 4.2.0.beta3, 5.2.2, 5.1.0, 5.1.6.1, 5.1.6 (Show all) Patch → 6.1.7.3
CVE-2016-6316 Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handlers. 4.1.13.rc1, 4.2.0.beta3, 4.2.2, 4.2.0.beta1, 4.2.3, 4.2.0.rc3, 4.1.16.rc1, 4.1.10 (Show all) Patch → 6.1.7.3
CVE-2016-2097 Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752. 4.1.13.rc1, 4.1.10, 4.1.0.beta2, 4.1.11, 4.1.10.rc1, 4.1.2.rc2, 4.1.0, 4.1.6 (Show all) Patch → 6.1.7.3
CVE-2016-0752 Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. 4.1.13.rc1, 4.2.2, 4.2.3, 4.1.10, 4.1.0.beta2, 4.1.11, 4.1.10.rc1, 4.1.2.rc2 (Show all) Patch → 6.1.7.3

Instantly see if these actionview vulnerabilities affect your code.

Scan for Free

Dependencies

Packages using versions of actionview affected by its vulnerabilities

Dependent Packages
activesupport= 8.0.0
builder~> 3.1
erubi~> 1.11
rails-dom-testing~> 2.2
rails-html-sanitizer~> 1.6