CVE-2020-5267 (Medium) detected in actionview-4.1.0.gem

[mend-for-github-com]

CVE-2020-5267 - Medium Severity Vulnerability

Vulnerable Library - actionview-4.1.0.gem

Simple, battle-tested conventions and helpers for building web pages.

Library home page: https://rubygems.org/gems/actionview-4.1.0.gem

Dependency Hierarchy:

• rails-4.1.0.gem (Root Library)
  • actionmailer-4.1.0.gem
    • ❌ actionview-4.1.0.gem (Vulnerable Library)

Found in HEAD commit: 5a413d9b2f9c78839525a25524a6091e2a91db92

Found in base branch: master

Vulnerability Details

In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible XSS vulnerability in ActionView's JavaScript literal escape helpers. Views that use the j or escape_javascript methods may be susceptible to XSS attacks. The issue is fixed in versions 6.0.2.2 and 5.2.4.2.

Publish Date: 2020-03-19

URL: CVE-2020-5267

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5267

Release Date: 2020-10-05

Fix Resolution: actionview:6.0.2.2, 5.2.4.2