Description

Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.

Remediation

References

CVE-2014-0081

Related Vulnerabilities

WordPress Plugin WP Job Manager Cross-Site Request Forgery (1.25.2)

WordPress 3.9.x Multiple Vulnerabilities (3.9 - 3.9.31)

MySQL CVE-2016-0662 Vulnerability (CVE-2016-0662)

concrete5 Improper Input Validation Vulnerability (CVE-2017-18195)

WordPress Plugin Search Types Custom Fields Widget Unspecified Vulnerability (1.3)

Severity

Medium

Classification

CVE-2014-0081 CWE-707

Tags

Missing Update Known Vulnerabilities