CVE-2014-0081

Name of the Vulnerable Software and Affected Versions Ruby on Rails versions prior to 3.2.17 Ruby on Rails versions 4.0.x prior to 4.0.3 Ruby on Rails versions 4.1.x prior to 4.1.0.beta2

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities in Ruby on Rails. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the format, negative format, or units parameter to the number to currency, number to percentage, or number to human helper. The vulnerability arises because some parameters to the helper are not escaped correctly, making applications that pass user-controlled data as one of these parameters vulnerable to an XSS attack.

Recommendations For Ruby on Rails versions prior to 3.2.17, upgrade to version 3.2.17 or later. For Ruby on Rails versions 4.0.x prior to 4.0.3, upgrade to version 4.0.3 or later. For Ruby on Rails versions 4.1.x prior to 4.1.0.beta2, upgrade to version 4.1.0.beta2 or later. As a temporary workaround, consider escaping the value passed to the format, negative format, and units parameters, for example, by replacing params[:format] with h(params[:format]).