Vulnerability CVE-2013-4491 - CERT Civis.Net

Vulnerability Name:

CVE-2013-4491 (CCN-89433)

Assigned:

2013-12-03

Published:

2013-12-03

Updated:

2019-08-08

Summary:

Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Cross-Site Scripting

References:

Source: MITRE
Type: CNA
CVE-2013-4491

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2013:1904

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2013:1906

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2013:1907

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2014:0009

Source: CCN
Type: Puppet Labs Web Site
CVE-2013-4491 (XSS vulnerability in Ruby on Rails)

Source: REDHAT
Type: UNKNOWN
RHSA-2013:1794

Source: CCN
Type: RHSA-2014-0008
Important: ruby193-rubygem-actionpack security update

Source: REDHAT
Type: UNKNOWN
RHSA-2014:0008

Source: CCN
Type: RHSA-2014-1863
Important: Subscription Asset Manager 1.4 security update

Source: REDHAT
Type: UNKNOWN
RHSA-2014:1863

Source: CCN
Type: SA55864
Ruby on Rails Multiple Vulnerabilities

Source: CCN
Type: SA55865
Ruby on Rails Multiple Vulnerabilities

Source: CCN
Type: SA57836
Chef Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
57836

Source: CCN
Type: Ruby On Rails Web site
Rails 3.2.16 and 4.0.2 have been released!

Source: CONFIRM
Type: UNKNOWN
http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/

Source: DEBIAN
Type: UNKNOWN
DSA-2888

Source: CONFIRM
Type: UNKNOWN
http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/

Source: BID
Type: UNKNOWN
64076

Source: CCN
Type: BID-64076
RubyGems i18n Cross Site Scripting Vulnerability

Source: XF
Type: UNKNOWN
rubyonrails-cve20134491-xss(89433)

Source: MLIST
Type: UNKNOWN
[ruby-security-ann] 20131203 [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails

Source: CONFIRM
Type: UNKNOWN
https://puppet.com/security/cve/cve-2013-4491

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2013-4491

Vulnerable Configuration:

Configuration 1:

cpe:/a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:*:-:*:*:*:*:*:* (Version <= 4.0.1)

OR cpe:/a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*

Configuration 2:

cpe:/a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.1:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.2:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.4:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:ruby_on_rails:3.1.11:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:ruby_on_rails:3.2.14:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:ruby_on_rails:3.2.14:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:* (Version <= 3.2.15)

OR cpe:/a:rubyonrails:ruby_on_rails:3.2.15:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:ruby_on_rails:3.2.15:rc2:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:rubyonrails:rails:3.1.0:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*

AND

cpe:/a:puppet:puppet:3.4.0:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:3.3.2:*:*:*:*:*:*:*

OR cpe:/a:redhat:openstack:3.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:26227	P	Security update for the Linux Kernel (Important)	2022-01-13
oval:org.opensuse.security:def:26181	P	Security update for mozilla-nss (Important)	2021-12-06
oval:org.opensuse.security:def:20134491	V	CVE-2013-4491	2021-10-24
oval:org.opensuse.security:def:26117	P	Security update for xen (Important)	2021-09-02
oval:org.opensuse.security:def:26106	P	Security update for libmspack (Moderate)	2021-08-17
oval:org.opensuse.security:def:26105	P	Security update for MozillaFirefox (Important)	2021-08-17
oval:org.opensuse.security:def:36556	P	rubygem-actionpack-3_2-3.2.12-0.19.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:26216	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:28964	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:26215	P	Security update for openssl-1_1 (Important)	2021-03-25
oval:org.opensuse.security:def:26419	P	Security update for mbedtls (Moderate)	2020-12-01
oval:org.opensuse.security:def:27554	P	rubygem-actionpack-3_2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28282	P	Security update for mysql (Important)	2020-12-01
oval:org.opensuse.security:def:26894	P	file-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26682	P	cyrus-imapd on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27835	P	Security update for MozillaFirefox, MozillaFirefox-branding-SLED, mozilla-nss (Important)	2020-12-01
oval:org.opensuse.security:def:26291	P	Security update for python-reportlab (Important)	2020-12-01
oval:org.opensuse.security:def:27519	P	nagios on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28268	P	Security update for mercurial (Moderate)	2020-12-01
oval:org.opensuse.security:def:26845	P	xorg-x11-libs-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26531	P	coolkey on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27753	P	Security update for git	2020-12-01
oval:org.opensuse.security:def:27664	P	Security update for rubygem-actionpack-2_3	2020-12-01
oval:org.opensuse.security:def:26881	P	dbus-1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28229	P	Security update for libtirpc, rpcbind (Important)	2020-12-01
oval:org.opensuse.security:def:26792	P	openssh on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26447	P	Security update for pdns (Important)	2020-12-01
oval:org.opensuse.security:def:27625	P	Security update for java-1_4_2-ibm	2020-12-01
oval:org.opensuse.security:def:27629	P	Security update for krb5	2020-12-01
oval:org.opensuse.security:def:26837	P	vte on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28180	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:26641	P	syslog-ng on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26390	P	Security update for ark (Low)	2020-12-01
oval:org.opensuse.security:def:28999	P	Security update for hawk	2020-12-01
oval:org.opensuse.security:def:27561	P	rubygem-rack-1_4 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26991	P	mono-core on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26823	P	star on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28127	P	Security update for icu (Moderate)	2020-12-01
oval:org.opensuse.security:def:26557	P	gnome-screensaver on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26309	P	Security update for haproxy (Important)	2020-12-01
oval:org.opensuse.security:def:27550	P	qt3-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26947	P	libexif on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26784	P	mono-core on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27976	P	Security update for LibVNCServer (Important)	2020-12-01
oval:org.opensuse.security:def:26500	P	Security update for ffmpeg-4 (Moderate)	2020-12-01
oval:org.opensuse.security:def:28326	P	Security update for perl-DBD-mysql (Moderate)	2020-12-01
oval:org.opensuse.security:def:27549	P	qemu on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26933	P	krb5-plugin-kdb-ldap on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26735	P	libMagickCore1-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27892	P	Security update for samba (Important)	2020-12-01
oval:com.ubuntu.xenial:def:201344910000000	V	CVE-2013-4491 on Ubuntu 16.04 LTS (xenial) - medium.	2013-12-06
oval:com.ubuntu.artful:def:20134491000	V	CVE-2013-4491 on Ubuntu 17.10 (artful) - medium.	2013-12-06
oval:com.ubuntu.xenial:def:20134491000	V	CVE-2013-4491 on Ubuntu 16.04 LTS (xenial) - medium.	2013-12-06
oval:com.ubuntu.bionic:def:20134491000	V	CVE-2013-4491 on Ubuntu 18.04 LTS (bionic) - medium.	2013-12-06
oval:com.ubuntu.precise:def:20134491000	V	CVE-2013-4491 on Ubuntu 12.04 LTS (precise) - medium.	2013-12-06
oval:com.ubuntu.bionic:def:201344910000000	V	CVE-2013-4491 on Ubuntu 18.04 LTS (bionic) - medium.	2013-12-06
oval:com.ubuntu.trusty:def:20134491000	V	CVE-2013-4491 on Ubuntu 14.04 LTS (trusty) - medium.	2013-12-06