VYPR
Moderate severityNVD Advisory· Published Mar 19, 2013· Updated Jun 16, 2026

CVE-2013-1855

CVE-2013-1855

Description

The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
actionpackRubyGems
< 2.3.182.3.18
actionpackRubyGems
>= 3.0.0, < 3.1.123.1.12
actionpackRubyGems
>= 3.2.0, < 3.2.133.2.13

Affected products

164
  • Rubyonrails/Rails149 versions
    cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*+ 148 more
    • cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:1.1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:1.1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:1.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:1.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:1.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:1.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:1.2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:1.2.5:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:1.2.6:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:1.9.5:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:2.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:2.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:2.3.13:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:2.3.14:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:2.3.15:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:2.3.16:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*
  • cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*+ 12 more
    • cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*range: <=2.3.17
    • cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:ruby_on_rails:3.1.11:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
  • ghsa-coords
    Range: < 2.3.18

Patches

Vulnerability mechanics

References

20

News mentions

0

No linked articles in our index yet.