{"url":"http://public2.vulnerablecode.io/api/packages/51661?format=json","purl":"pkg:gem/actionpack@4.0.2","type":"gem","namespace":"","name":"actionpack","version":"4.0.2","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"4.0.3","latest_non_vulnerable_version":"7.1.3.1","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37603?format=json","vulnerability_id":"VCID-2p4p-apst-v3cq","summary":"XSS Vulnerability in simple_format helper\nThe simple_format helper converts user supplied text into html text which is intended to be safe for display. A change made to the implementation of this helper means that any user provided HTML attributes will not be escaped correctly. As a result of this error, applications which pass user-controlled data to be included as html attributes will be vulnerable to an XSS attack.","references":[{"reference_url":"http://seclists.org/oss-sec/2013/q4/404","reference_id":"","reference_type":"","scores":[],"url":"http://seclists.org/oss-sec/2013/q4/404"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51661?format=json","purl":"pkg:gem/actionpack@4.0.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.0.2"}],"aliases":["CVE-2013-6416"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2p4p-apst-v3cq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37602?format=json","vulnerability_id":"VCID-464e-wb3p-j3dn","summary":"Reflective XSS Vulnerability\nThere is a vulnerability in the internationalisation component of Ruby on Rails. When the i18n gem is unable to provide a translation for a given string, it creates a fallback HTML string. Under certain common configurations this string can contain user input which would allow an attacker to execute a reflective XSS attack.","references":[{"reference_url":"http://seclists.org/oss-sec/2013/q4/401","reference_id":"","reference_type":"","scores":[],"url":"http://seclists.org/oss-sec/2013/q4/401"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51660?format=json","purl":"pkg:gem/actionpack@3.2.16","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.16"},{"url":"http://public2.vulnerablecode.io/api/packages/51661?format=json","purl":"pkg:gem/actionpack@4.0.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.0.2"}],"aliases":["CVE-2013-4491"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-464e-wb3p-j3dn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37599?format=json","vulnerability_id":"VCID-gadc-jens-nuga","summary":"Denial of Service Vulnerability in Action View\nThere is a denial of service vulnerability in the header handling component of Action View. Strings sent in specially crafted headers will be cached indefinitely. This can cause the cache to grow infinitely, which will eventually consume all memory on the target machine, causing a denial of service.","references":[{"reference_url":"http://seclists.org/oss-sec/2013/q4/400","reference_id":"","reference_type":"","scores":[],"url":"http://seclists.org/oss-sec/2013/q4/400"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2013-6414","reference_id":"CVE-2013-6414","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2013-6414"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51660?format=json","purl":"pkg:gem/actionpack@3.2.16","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.16"},{"url":"http://public2.vulnerablecode.io/api/packages/51661?format=json","purl":"pkg:gem/actionpack@4.0.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.0.2"}],"aliases":["CVE-2013-6414"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gadc-jens-nuga"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37600?format=json","vulnerability_id":"VCID-ghj9-vyyr-tub8","summary":"XSS Vulnerability in number_to_currency\nThe number_to_currency helper allows users to nicely format a numeric value. The unit parameter is not escaped correctly. Application which pass user controlled data as the unit parameter are vulnerable to an XSS attack.","references":[{"reference_url":"http://seclists.org/oss-sec/2013/q4/402","reference_id":"","reference_type":"","scores":[],"url":"http://seclists.org/oss-sec/2013/q4/402"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51660?format=json","purl":"pkg:gem/actionpack@3.2.16","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.16"},{"url":"http://public2.vulnerablecode.io/api/packages/51661?format=json","purl":"pkg:gem/actionpack@4.0.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.0.2"}],"aliases":["CVE-2013-6415"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ghj9-vyyr-tub8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37598?format=json","vulnerability_id":"VCID-z94j-z575-4ydx","summary":"Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)\nDue to the way that `Rack::Request` and `Rails::Request` interact, it is possible for a 3rd party or custom rack middleware to parse the parameters insecurely and store them in the same key that Rails uses for its own parameters. In the event that happens the application will receive unsafe parameters and could be vulnerable to the earlier vulnerability: it would be possible for an attacker to issue unexpected database queries with `IS NULL` or empty where clauses.","references":[{"reference_url":"http://seclists.org/oss-sec/2013/q4/403","reference_id":"","reference_type":"","scores":[],"url":"http://seclists.org/oss-sec/2013/q4/403"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51660?format=json","purl":"pkg:gem/actionpack@3.2.16","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.16"},{"url":"http://public2.vulnerablecode.io/api/packages/51661?format=json","purl":"pkg:gem/actionpack@4.0.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.0.2"}],"aliases":["CVE-2013-6417"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z94j-z575-4ydx"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.0.2"}