GCVE - cpe:2.3:a:rubyonrails:html_sanitizer:*:*:*:*:*:ruby:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:rubyonrails:html_sanitizer:*:*:*:*:*:ruby:*:*

part: a version: * update: *

Vendor	Rubyonrails (`a0962337-0e2d-518c-b84b-f2864721d062`)
Product	Html Sanitizer (`8cc62566-aab4-591e-8b2b-33db62abe2b2`)
Edition	*
Language	*
Software edition	*
Target software	ruby
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2018-3741`	vulnerable	2026-06-03 14:38:50.359414	Details available There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately. Published: 2018-03-30T19:00:00.000Z Updated: 2024-08-05T04:50:30.644Z Open on db.gcve.eu Reference links https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2015-7580`	vulnerable	2026-06-03 14:35:09.476749	Details available Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node. Published: 2016-02-16T02:00:00.000Z Updated: 2024-08-06T07:51:28.598Z Open on db.gcve.eu Reference links https://groups.google.com/forum/message/raw?msg=rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html http://www.openwall.com/lists/oss-security/2016/01/25/15 http://www.securitytracker.com/id/1034816 https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2015-7579`	vulnerable	2026-06-03 14:35:09.475695	Details available Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class. Published: 2016-02-16T02:00:00.000Z Updated: 2024-08-06T07:51:28.640Z Open on db.gcve.eu Reference links https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html http://www.securitytracker.com/id/1034816	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2015-7578`	vulnerable	2026-06-03 14:35:09.469427	Details available Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes. Published: 2016-02-16T02:00:00.000Z Updated: 2024-08-06T07:51:28.491Z Open on db.gcve.eu Reference links http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html http://www.openwall.com/lists/oss-security/2016/01/25/11 http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4 http://www.securitytracker.com/id/1034816	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.