{"id":"CVE-2020-15169","details":"In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory.","aliases":["GHSA-cfjv-5498-mph5"],"modified":"2026-04-11T12:32:12.323289Z","published":"2020-09-11T16:15:12.287Z","related":["GHSA-cfjv-5498-mph5","SUSE-SU-2020:2686-1","SUSE-SU-2020:3036-1","SUSE-SU-2020:3147-1","SUSE-SU-2020:3160-1","SUSE-SU-2023:2059-1","openSUSE-SU-2020:1993-1","openSUSE-SU-2020:2000-1","openSUSE-SU-2024:10589-1","openSUSE-SU-2024:11320-1"],"database_specific":{"unresolved_ranges":[{"cpe":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"10.0"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"33"}],"source":"CPE_FIELD"}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/10/msg00015.html"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4766"},{"type":"FIX","url":"https://github.com/rails/rails/security/advisories/GHSA-cfjv-5498-mph5"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rails/rails","events":[{"introduced":"0"},{"fixed":"404ad9e8acf8ab45ae2314050131a00e57e63b40"},{"fixed":"070d4afacd3e9721b7e3a4634e4d026b5fa2c32c"}],"database_specific":{"cpe":"cpe:2.3:a:action_view_project:action_view:*:*:*:*:*:ruby:*:*","extracted_events":[{"introduced":"0"},{"fixed":"5.2.4.4"},{"introduced":"6.0.0.0"},{"fixed":"6.0.3.3"}],"source":"CPE_FIELD"}}],"versions":["v0.10.0","v0.10.1","v0.11.0","v0.11.1","v0.12.0","v0.13.0","v0.13.1","v0.14.1","v0.14.3","v0.9.1","v0.9.2","v0.9.3","v0.9.4","v0.9.4.1","v0.9.5","v1.1.0","v1.1.0_RC1","v1.1.1","v2.0.0","v2.0.0_PR","v2.0.0_RC1","v2.0.0_RC2","v2.0.1","v3.0.0.beta.3","v3.0.0.beta3","v3.1.0.beta1","v3.1.0.rc1","v3.2.0.rc1","v4.0.0.beta1","v4.0.0.rc1","v4.2.0.beta1","v5.0.0.beta1","v5.0.0.beta2","v5.0.0.beta4","v5.1.0.beta1","v5.2.0.rc1","v5.2.1.rc1","v5.2.4","v5.2.4.1","v5.2.4.2","v5.2.4.3","v5.2.4.rc1","v6.0.0","v6.0.0.beta1","v6.0.0.beta2","v6.0.0.rc1","v6.0.3","v6.0.3.1","v6.0.3.2","v6.0.3.rc1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-15169.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}