VYPR
← All advisories
Medium severity6.1NVD Advisory· Published Jan 30, 2016· Updated May 6, 2026

CVE-2016-1143

CVE-2016-1143

Description

Cross-site scripting (XSS) vulnerability in main.rb in Vine MV before 2015-11-08 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Vine Mv Project/Vine Mv2 versions
    cpe:2.3:a:vine_mv_project:vine_mv:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:vine_mv_project:vine_mv:*:*:*:*:*:*:*:*range: <=2015-09-09
    • (no CPE)range: <2015-11-08

Patches

Vulnerability mechanics

Root cause

"The application did not properly escape HTML output, allowing for script injection."

Attack vector

An unauthenticated remote attacker can send a crafted request to the application. This request contains arbitrary web script or HTML in unspecified vectors. The application then renders this input without proper sanitization, leading to a cross-site scripting attack [CWE-79]. The CVSS vector indicates that user interaction is required for exploitation.

Affected code

The vulnerability resides in the main.rb file, specifically in how dynamic content is rendered. The patch modifies this file to enable automatic HTML escaping for ERB templates and adds the 'erubis' gem to the Gemfile to support this functionality.

What the fix does

The patch modifies the application to automatically escape HTML when rendering ERB templates. This is achieved by requiring the 'erubis' gem and setting the :escape_html option to true for ERB rendering. Additionally, the 'erubis' gem is added to the Gemfile. This change ensures that any user-supplied input rendered in the HTML output is properly escaped, preventing the injection of arbitrary web script or HTML [patch_id=4410237].

Preconditions

  • authNo authentication is required to exploit this vulnerability.
  • networkThe vulnerability is accessible over the network.
  • inputThe attacker must provide a payload containing arbitrary web script or HTML.
  • inputThe payload must be sent via unspecified vectors.

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.