Medium severity6.1NVD Advisory· Published Sep 7, 2016· Updated May 6, 2026
CVE-2016-6316
CVE-2016-6316
Description
Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handlers.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
actionviewRubyGems | >= 3.0.0, < 3.2.22.3 | 3.2.22.3 |
actionviewRubyGems | >= 4.0.0, < 4.2.7.1 | 4.2.7.1 |
actionviewRubyGems | >= 5.0.0, < 5.0.0.1 | 5.0.0.1 |
Affected products
41- ghsa-coords41 versionspkg:gem/actionviewpkg:rpm/suse/rubygem-actionmailer-4_2&distro=SUSE%20Enterprise%20Storage%203pkg:rpm/suse/rubygem-actionmailer-4_2&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/rubygem-actionmailer-4_2&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/rubygem-actionmailer-4_2&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/rubygem-actionpack-4_2&distro=SUSE%20Enterprise%20Storage%203pkg:rpm/suse/rubygem-actionpack-4_2&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/rubygem-actionpack-4_2&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/rubygem-actionpack-4_2&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/rubygem-actionview-4_2&distro=SUSE%20Enterprise%20Storage%203pkg:rpm/suse/rubygem-actionview-4_2&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/rubygem-actionview-4_2&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/rubygem-actionview-4_2&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/rubygem-activejob-4_2&distro=SUSE%20Enterprise%20Storage%203pkg:rpm/suse/rubygem-activejob-4_2&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/rubygem-activejob-4_2&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/rubygem-activejob-4_2&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/rubygem-activemodel-4_2&distro=SUSE%20Enterprise%20Storage%203pkg:rpm/suse/rubygem-activemodel-4_2&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/rubygem-activemodel-4_2&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/rubygem-activemodel-4_2&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/rubygem-activerecord-4_2&distro=SUSE%20Enterprise%20Storage%203pkg:rpm/suse/rubygem-activerecord-4_2&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/rubygem-activerecord-4_2&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/rubygem-activerecord-4_2&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/rubygem-activesupport-4_2&distro=SUSE%20Enterprise%20Storage%203pkg:rpm/suse/rubygem-activesupport-4_2&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/rubygem-activesupport-4_2&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/rubygem-activesupport-4_2&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/rubygem-rails-4_2&distro=SUSE%20Enterprise%20Storage%203pkg:rpm/suse/rubygem-rails-4_2&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/rubygem-rails-4_2&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/rubygem-rails-4_2&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20Enterprise%20Storage%203pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/rubygem-railties-4_2&distro=SUSE%20Enterprise%20Storage%203pkg:rpm/suse/rubygem-railties-4_2&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/rubygem-railties-4_2&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/rubygem-railties-4_2&distro=SUSE%20OpenStack%20Cloud%207
>= 3.0.0, < 3.2.22.3+ 40 more
- (no CPE)range: >= 3.0.0, < 3.2.22.3
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 4.2.9-7.3.1
- (no CPE)range: < 4.2.9-7.3.1
- (no CPE)range: < 4.2.9-7.3.1
- (no CPE)range: < 4.2.9-7.3.1
- (no CPE)range: < 4.2.9-9.3.1
- (no CPE)range: < 4.2.9-9.3.1
- (no CPE)range: < 4.2.9-9.3.1
- (no CPE)range: < 4.2.9-9.3.1
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 4.2.9-6.3.1
- (no CPE)range: < 4.2.9-6.3.1
- (no CPE)range: < 4.2.9-6.3.1
- (no CPE)range: < 4.2.9-6.3.1
- (no CPE)range: < 4.2.9-6.3.1
- (no CPE)range: < 4.2.9-6.3.1
- (no CPE)range: < 4.2.9-6.3.1
- (no CPE)range: < 4.2.9-6.3.1
- (no CPE)range: < 4.2.9-7.3.1
- (no CPE)range: < 4.2.9-7.3.1
- (no CPE)range: < 4.2.9-7.3.1
- (no CPE)range: < 4.2.9-7.3.1
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 1.0.3-8.3.1
- (no CPE)range: < 1.0.3-8.3.1
- (no CPE)range: < 1.0.3-8.3.1
- (no CPE)range: < 1.0.3-8.3.1
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 4.2.9-3.3.1
- (no CPE)range: < 4.2.9-3.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
18- weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/nvdRelease NotesVendor Advisory
- www.debian.org/security/2016/dsa-3651nvdThird Party AdvisoryWEB
- www.openwall.com/lists/oss-security/2016/08/11/3nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-pc3m-v286-2jwjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-6316ghsaADVISORY
- rhn.redhat.com/errata/RHSA-2016-1855.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-1856.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-1857.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-1858.htmlnvdWEB
- weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-releasedghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-6316.ymlghsaWEB
- groups.google.com/forum/ghsaWEB
- groups.google.com/forum/ghsaWEB
- web.archive.org/web/20200227202008/http://www.securityfocus.com/bid/92430ghsaWEB
- web.archive.org/web/20200812154343/https://puppet.com/security/cve/cve-2016-6316ghsaWEB
- www.securityfocus.com/bid/92430nvd
- groups.google.com/forum/nvd
- puppet.com/security/cve/cve-2016-6316nvd
News mentions
0No linked articles in our index yet.