RubyGems package

actionview

pkg:gem/actionview

Vulnerabilities (13)

CVE	Sev	CVSS	KEV	Affected versions	Fixed in	Published	Description
CVE-2026-33168	Low	—		>= 8.1.0.beta1, < 8.1.2.1	8.1.2.1	Mar 23, 2026	Action View provides conventions and helpers for building web pages with the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed
CVE-2023-23913	Med	6.3		>= 5.1.0, < 6.1.7.3	6.1.7.3	Jan 9, 2025	There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML content from the clipboard that includes a
CVE-2022-27777		—		< 5.2.7.1	5.2.7.1	May 26, 2022	A XSS Vulnerability in Action View tag helpers >= 5.2.0 and < 5.2.0 which would allow an attacker to inject content if able to control input into specific attributes.
CVE-2020-15169		—		< 5.2.4.4	5.2.4.4	Sep 11, 2020	In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS
CVE-2020-8163		—		< 4.2.11.3	4.2.11.3	Jul 2, 2020	The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE.
CVE-2020-8167		—		>= 5.0.0, < 5.2.4.3	5.2.4.3	Jun 19, 2020	A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.
CVE-2020-5267		—		< 5.2.4.2	5.2.4.2	Mar 19, 2020	In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible XSS vulnerability in ActionView's JavaScript literal escape helpers. Views that use the `j` or `escape_javascript` methods may be susceptible to XSS attacks. The issue is fixed in versions 6.0.2.2 and 5.2.4.2.
CVE-2019-5419		—		>= 4.0.0, < 4.2.11.1	4.2.11.1	Mar 27, 2019	There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive.
CVE-2019-5418		—	KEV	>= 5.2.0, < 5.2.2.1	5.2.2.1	Mar 27, 2019	There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed.
CVE-2016-6316	Med	6.1		>= 3.0.0, < 3.2.22.3	3.2.22.3	Sep 7, 2016	Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handle
CVE-2016-2097	Med	5.3		>= 3.0.0, < 3.2.22.2	3.2.22.2	Apr 7, 2016	Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this v
CVE-2016-0752	Hig	7.5	KEV	>= 4.0.0, < 4.1.14.1	4.1.14.1	Feb 16, 2016	Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render met
CVE-2011-0446		—		< 2.3.11	2.3.11	Feb 14, 2011	Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value.

CVE-2026-33168LowMar 23, 2026
affected >= 8.1.0.beta1, < 8.1.2.1fixed 8.1.2.1
Action View provides conventions and helpers for building web pages with the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed
CVE-2023-23913MedJan 9, 2025
affected >= 5.1.0, < 6.1.7.3fixed 6.1.7.3
There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML content from the clipboard that includes a
CVE-2022-27777May 26, 2022
affected < 5.2.7.1fixed 5.2.7.1
A XSS Vulnerability in Action View tag helpers >= 5.2.0 and < 5.2.0 which would allow an attacker to inject content if able to control input into specific attributes.
CVE-2020-15169Sep 11, 2020
affected < 5.2.4.4fixed 5.2.4.4
In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS
CVE-2020-8163Jul 2, 2020
affected < 4.2.11.3fixed 4.2.11.3
The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE.
CVE-2020-8167Jun 19, 2020
affected >= 5.0.0, < 5.2.4.3fixed 5.2.4.3
A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.
CVE-2020-5267Mar 19, 2020
affected < 5.2.4.2fixed 5.2.4.2
In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible XSS vulnerability in ActionView's JavaScript literal escape helpers. Views that use the `j` or `escape_javascript` methods may be susceptible to XSS attacks. The issue is fixed in versions 6.0.2.2 and 5.2.4.2.
CVE-2019-5419Mar 27, 2019
affected >= 4.0.0, < 4.2.11.1fixed 4.2.11.1
There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive.
CVE-2019-5418KEVMar 27, 2019
affected >= 5.2.0, < 5.2.2.1fixed 5.2.2.1
There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed.
CVE-2016-6316MedSep 7, 2016
affected >= 3.0.0, < 3.2.22.3fixed 3.2.22.3
Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handle
CVE-2016-2097MedApr 7, 2016
affected >= 3.0.0, < 3.2.22.2fixed 3.2.22.2
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this v
CVE-2016-0752HigKEVFeb 16, 2016
affected >= 4.0.0, < 4.1.14.1fixed 4.1.14.1
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render met
CVE-2011-0446Feb 14, 2011
affected < 2.3.11fixed 2.3.11
Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value.