{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37513?format=json","vulnerability_id":"VCID-qmvt-9qth-77a6","summary":"XSS Vulnerability in the `sanitize` helper\nThe `sanitize` helper in Ruby on Rails is designed to filter HTML and remove all tags and attributes which could be malicious.","aliases":[{"alias":"CVE-2013-1857"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51450?format=json","purl":"pkg:gem/actionpack@2.3.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@2.3.18"},{"url":"http://public2.vulnerablecode.io/api/packages/51451?format=json","purl":"pkg:gem/actionpack@3.1.12","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.1.12"},{"url":"http://public2.vulnerablecode.io/api/packages/51452?format=json","purl":"pkg:gem/actionpack@3.2.13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.13"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51353?format=json","purl":"pkg:gem/actionpack@2.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-kt2t-d3bx-jydv"},{"vulnerability":"VCID-puve-cp8z-zbdr"},{"vulnerability":"VCID-qmvt-9qth-77a6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@2.4.0"},{"url":"http://public2.vulnerablecode.io/api/packages/51281?format=json","purl":"pkg:gem/actionpack@3.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7m31-x66p-3bha"},{"vulnerability":"VCID-dx34-zm9p-1ydc"},{"vulnerability":"VCID-f21a-143f-9qay"},{"vulnerability":"VCID-kt2t-d3bx-jydv"},{"vulnerability":"VCID-p6yg-d8wm-4bgz"},{"vulnerability":"VCID-puve-cp8z-zbdr"},{"vulnerability":"VCID-qmvt-9qth-77a6"},{"vulnerability":"VCID-t9c8-r3yp-sbde"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.0"}],"references":[{"reference_url":"https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/zAAU7vGTPvI","reference_id":"","reference_type":"","scores":[],"url":"https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/zAAU7vGTPvI"}],"weaknesses":[{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":79,"name":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","description":"The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."}],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qmvt-9qth-77a6"}