Moderate severityNVD Advisory· Published Dec 7, 2013· Updated Jun 17, 2026
CVE-2013-6416
CVE-2013-6416
Description
Cross-site scripting (XSS) vulnerability in the simple_format helper in actionpack/lib/action_view/helpers/text_helper.rb in Ruby on Rails 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML attribute.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
actionpackRubyGems | >= 4.0.0, < 4.0.2 | 4.0.2 |
Affected products
7cpe:2.3:a:rubyonrails:rails:*:-:*:*:*:*:*:*+ 5 more
- cpe:2.3:a:rubyonrails:rails:*:-:*:*:*:*:*:*range: <=4.0.1
- cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-w37c-q653-qg95ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-6416ghsaADVISORY
- weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_releasedghsaWEB
- github.com/rails/rails/commit/4b4f5847f64f81c961625e647711ef9f6ad1a454ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2013-6416.ymlghsaWEB
- groups.google.com/forum/ghsaWEB
- groups.google.com/forum/message/rawnvdWEB
- web.archive.org/web/20200228165109/http://www.securityfocus.com/bid/64071ghsaWEB
- weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/nvd
- www.securityfocus.com/bid/64071nvd
News mentions
0No linked articles in our index yet.